CacheGuard-OS
User's Guide - Version UF-2.2.1

Web Authentication

The Web authentication can be used in conjunction with the web and rweb modes to restrict the Web browsing and/or the access to reverse websites to authenticated users only. By activating the Web authentication mode, explicit users of the Web proxy in forwarding/browsing mode (web mode) and/or external users of reverse websites in reverse mode (rweb mode) are requested to authenticate before being allowed to connect to CacheGuard appliance. CacheGuard appliance suppots LDAP and Kerberos authentication modes that you can configure using the authenticate command.

LDAP Authentication

In LDAP authentication mode, the first time a Web user tries to access a Web page, she/he is asked to submit her/his credentials via a popup window opened by the Web browser. With this authentication method, called basic authentication, CacheGuard appliance submits in turn the collected credentials to an LDAP server. In case where submitted credentials are validated by the LDAP server, CacheGurd allows the Web user to connect. Otherwise her/his access request is rejected. You can activate the web authentication by using the mode authenticate on command.

To configure the LDP authentication, you must specify at least one LDAP server and the LDAP request that should be sent to it to authenticate users. In addition, as most of the time LDAP servers require LDAP clients to be bind before being able to request them, you must configure the LDAP binding in your authentication configuration. As an example, the commands used below configure the LDAP authentication to send the 'ou=people,dc=example,dc=com' 'uid' 'userPassword' 'objectClass=inetOrgPerson' request to the LDAP server having the ldap.example.com 10.0.10.201 name and IP address. As in this example, the used LDAP server is protected by a binding process, the LDP binding is activated by specifying the 'cn=admin,dc=example,dc=com' bind DN (Distinguish Name).

• mode authenticate on
• authenticate web on
• authenticate mode ldap on
• authenticate ldap request 'ou=people,dc=example,dc=com' 'uid' 'userPassword' 'objectClass=inetOrgPerson'
• authenticate ldap server add ldaps ldap.example.com 10.0.10.201
• authenticate ldap binddn 'cn=admin,dc=example,dc=com' on
• apply

LDAP Request Note: in the example above, the given LDAP request specifies that users to retrieve should be registered under the ou=people,dc=example,dc=com LDAP object and the login name and password (provided by the Web user during the basic authentication) should be compared against values in respectively the uid userPassword LDAP attributes. Finally users to look for should belong to the inetOrgPerson LDAP object class.

Please note that if an empty value ('') is specified as the password LDAP attribute, an LDAP binding is performed during the basic authentication phase instead of a comparison of the entered password against the value stored in the password LDAP attribute (this is the preferred method used by Microsoft AD™. If your LDAP server is a Microsoft AD™, you can use the following commands to configure the LDAP authentication:

• mode authenticate on
• authenticate mode ldap on
• authenticate ldap request 'dc=example,dc=com' 'sAMAccountName'
• authenticate ldap server add ldap ldap.example.com 10.0.10.201
• authenticate ldap binddn 'cn=webgateway,cn=users,dc=example,dc=com' on
• apply

where cn=webgateway,cn=users,dc=example,dc=com is the user that would be specifically used for the LDAP binding. Make sure that cn=webgateway,cn=users,dc=example,dc=com user exists in your AD™ is not disabled and its associated password never expires.

Kerberos Authentication

In Kerberos authentication mode, credentials used by users to login to their workstations are learned by CacheGuard appliance during a negotiation phase and then are used to authenticate Web users. Kerberos based authentication is a complex process that goes beyond this documentation and we will limit ourselves to explain how to configure CacheGuard appliance to use Microsoft AD™ (as a Kerberos server).

You can use the following commands to configure the Kerberos authentication on a CacheGuard appliance coupled with an AD™ server having the dc.example.com name on the network:

• mode authenticate on
• authenticate mode ldap off
• authenticate mode kerberos on
• authenticate kerberos web proxy
• authenticate ad rdn 'cn=computers'
• domainname example.com
• authenticate kerberos server add dc.example.com
• authenticate kerberos encrypt aes
• apply

Web Proxy Specifications: in the example above, the authenticate ad rdn 'cn=computers' command set the rdn (relative DN (Distinguish Name)) of the object representing the proxy.example.com Web proxy in the AD™ directory tree and the authenticate kerberos web proxy command set the Web proxy hostname to proxy. The Web proxy full name on the network would then be proxy.example.com while cn=proxy,cn=computers,dc=example,dc=com would represent its full DN in AD™.

It is IMPORTANT to note that the first time the Kerberos authentication mode is activated (after the apply operation termination), it should be initialised in CacheGuard appliance. Note that during the initialisation process, if the the LDAP object representing the Web proxy in AD™ does not yet exist, an LDAP object representing that Web proxy is created in AD™. The initialisation process allows CacheGuard appliance to obtain a Kerberos ticket. To initialise the Kerberos authentication you can use the authenticate kerberos create administrator command. This command requires to interactively enter the password associated to the used administrator account. It's good to know that the entered password is not permanently saved and is removed after having obtained a Kerberos ticket. Please note that the used AD™ account should have administrator permissions (the administrator user for instance). The Kerberos initialisation is an asynchronous operation that is executed in background. The authenticate kerberos report allows you to display a report on the Kerberos initialisation operation.