Active Directory can be a pain to configure and manage. However, there are some simple ways to configure your AD to make it more usable for your IT staff. This blog post shows how to configure the LDAP server to authenticate users when they access your network from a public network – such as the Internet.
This article describes how to configure Captive Portal to authenticate users when accessing the internet with users synchronized from AD.
It has been a while since I last blogged about remote access authentication using the Microsoft ADFS 2.0. Since then I’ve been using the service to provide remote access to my users on both my local network and my on-premises Active Directory. The service has been very useful, as it allows me to provision access to my local servers, such as the office intranet.
1.What is the article’s purpose?
In this article, techbast will show you how to set up Captive Portal, which is a feature that allows you to authenticate users in your internal network when they access the internet using an account that is synchronized with AD in the system.
2.Diagram
Details:
The internet connection will be made through the Sophos Firewall device’s Port 2 with the IP address 192.168.2.103.
The LAN subnet is set with DHCP and is configured at Port 1 of the device with IP 10.145.41.1/24.
There is also an AD Server with the IP 10.145.41.10/24 in the LAN subnet; on this server, an IT OU has been created; inside the IT OU, there is a Support group; within the Support group, there are users named user1, user2, and user3.
Laptop 1 is connected to the LAN and is assigned IP 10,145.41.50/24 via DHCP.
3.Scenario
will configure the Sophos Firewall’s Captive Portal so that when devices in the LAN area access and utilize the internet, they must authenticate with the AD Server’s synchronized account.
4.How should I proceed?
- AD Sync
- Import user and group information
- Make a policy
- Result
5.Configuring
Sync 5.1.AD
The first step is to sync Active Directory with Sophos Firewall.
To synchronize we go to CONFIGURE > Authentication > Server > click Add.
Configure the parameters as follows:
- Select Active Directory as the server type.
- LearningIT is the name of the server.
- 10.145.41.11 is the server’s IP address and domain name.
- Select the level of security for your connection. Plaintext
- 389 (port)
- LEARNINGIT is a NetBIOS domain.
- Administrator is the ADS user name.
- Password*: type the administrator account’s password.
- Leave the display name attribute empty.
- Attribute for email addresses: mail
- *Learnit.xyz is a domain name.
- Click Add, then enter dc=learningit,dc=xyz, then click OK.
- To test the connection to the AD server, click Test connection.
- Save the file.
5.2.Import the Organization Unit and Group
We must import OU and Group from AD after successful AD sync.
To perform the import, click the icon as indicated in the image.
When the Help window for the Import group wizard displays, click Start.
Select dc=learningit,dc=xyz from the drop-down selection in Step 1: Provide a base DN for the group.
Step 2: Select AD groups to import will display the current OUs and groups in AD; in this case, techbast will select the Support group in the IT OU as shown.
Nhấn nút “>” để tiếp tục.
Press the “>” button to continue.
Press the “>” button and OK to continue.
To close the window, click Close.
After importing, we can go to CONFIGURE > Authentication > Group to check if the group has been imported.
The Support group was then imported as a result.
Next for the firewall device to authenticate users from AD we need to go to CONFIGURE > Authentication > Service.
We can see that we only do authentication for local accounts on the firewall in the Firewall authentication methods section.
LearningIT is checked. This is the server we just synced, and on the right side, we drag LearningIT above Local while holding down the mouse.
To save, click Apply.
5.3.Develop a policy
The Captive Portal feature in the policy that permits the LAN to access the internet is the next step.
If we don’t already have a policy, we can create one by following the steps in the image below; if we already have one, we just need to configure the red portion as shown.
For unknown users, we choose Match Know User and Use Web Authentication.
Select the Support group we just imported in the Users or Groups section.
5.4.Result
To check the findings, Techbast will start a browser and go to google.com on Laptop 1.
The authentication screen will next display, prompting us to enter our account and password.
will sign in with the user1 account, which is the synchronized account from AD.
The message “Successful Login” appears.
We can now use the internet.
It’s important to remember that we can’t turn off this authentication tab or we’ll have to re-authenticate.
Open a new tab and try to access Google again; you should now be able to browse the internet.
YOU MIGHT ALSO BE INTERESTED IN
Captive Portal is a simple solution to allow access to a network to those who do not have access to the internet. The term “captive portal” refers to the fact that you are limiting the amount of time someone will be able to access the internet while they are connected to your network. By configuring the Captive Portal, you can configure a way of authenticating users. You can authenticate the user by looking for the unique SSID of the network they are connected to and then authenticating them if they are not logged on to your network.. Read more about which 2 of the following are methods of xg firewall authentication? and let us know what you think.
Related Tags
This article broadly covered the following related topics:
- firepower captive portal
- firepower active directory integration
- cisco firepower user agent for active directory
- fortigate captive portal not working
- cisco firepower user agent for active directory download
