You are here: Cookbook > Getting Started > Dynamically Manage Access Authority Via Radius Dynamic Authorization

Dynamically Manage Access Authority Via Radius Dynamic Authorization

This example introduces how to dynamically manage access authority via radius dynamic authorization.

Scenario

As shown in the topology, one enterprise can configure Radius server authentication and enable authorization policy to dynamically manage the access authority of visitors. When the visitor logins the SSLVPN, the radius server issues authorization policy to the firewall allowing the visitor to visit the network segment 10.160.64.0/21. When the visitor successfully logins, the administrator can use CoA messages to modify the issued authorization policy, adding new network segment 10.160.32.0/21 that the visitor is allowed to visit. When the visitor logs out, the firewall will automatically delete the responding authorization policy.

Configuration Steps

Step 1: Configure the Interface to Link Radius Server.
Select Network>Interface, and double click ethernet0/0.
  • Binding zone: Layer 3 zone
  • Zone: trust
  • Type: Static IP
  • IP Address: 10.87.1.8
  • Netmask: 255.255.255.0
Step 2: Create New Aggregate Policy.

Select Policy>Security Policy>Policy, and click New>Aggregate Policy.

  • Name: Visitor
Step 3: Configure Radius Server, and Enable Authorization Policy and Accounting.

1. Select Object>AAA Server, and click New>Radius Server.

  • Name: Visitor
  • Server Address: 10.87.1.9
  • Virtual Router: trust-vr
  • Port: 1812
  • Secret: 12345678

2. Click the Enable button of Authorization, and select Visitor from the drop-down menu.

3. Click the Enable button of Accounting.

  • Server Address: 10.87.1.9
  • Virtual Router: trust-vr
  • Port: 1813
  • Password: 12345678

4. Create a new user account.

Client needs to created a new user account on Radius server.

  • Username: user1
  • Password: 123456
  • Authorized network segment: 10.160.64.0/21
 
Step 4: Enable Radius Dynamic Authorization.

Click Object>Radius Dynamic Authorization, and click the Enable button of Radius Dynamic Authorization.

  • Port: 3799
  • Server IP: 10.87.1.9
  • Destination IP: 10.87.1.8
  • Shared Key: 12345678
Step 5: Configure SSLVPN on StoneOS.

1. Configure SSLVPN address pool.

Select Network>SSL VPN, click Configuration>Address Pool, and click New.

  • Address Pool: pool1
  • Start IP: 20.1.1.2
  • End IP: 20.1.1.200
  • Netmast: 255.255.255.0
  • DNS1: 10.160.64.60
  • WINS1: 10.160.64.61

2. Create new zone.

Select Network>Zone, and click New.

  • Zone: VPN
  • Type: Layer 3 Zone
  • Virtual Router: trust-vr
3. Create new tunnel interface.

Select Network>Interface, and click New>Tunnel Interface.

  • Interface Name: tunnel 1
  • Binding Zone: Layer 3 Zone
  • Zone: VPN
  • Type: Static IP
  • IP Address: 20.1.1.1
  • Netmask: 24

4. Configure SSLVPN.

Select Network>SSL VPN, and click New.

In the Name/Access User tab, configure as below.

  • SSL VPN Name: Visitor
  • AAA Server: Visitor

In the Interface tab, configure as below.

  • Egress Interface 1:ethernet0/5
  • Service Port:443
  • Tunnel Interface:tunnel1
  • Address Pool:pool1

In the Tunnel Route tab, configure as below.

  • IP:10.160.64.0
  • Netmask:255.255.248.0

Step 6: Results.

1. User1 can access 10.160.64.52.

  • Server: 10.160.64.51
  • Port: 4433
  • Username: user1
  • Password: 123456

 

2. Corresponding policy is created on Firewall.
Step 7: Use CoA message to modify the access authority of the authorized user.

1. Use CoA message in CLI commands to modify the network segment that the authorized user has access to (If the radius server that the client uses is customized, the client can operate directly on radius server rather than use CLI commands).

  • Create a new txt file named coa-auth of which the content is as below:
    User-Name:user1
    Framed-IP-Address=20.1.1.3
    NAS-IP-Address=10.87.1.8
    Acct-Seesion-Id=“1”
    Hillstone-User-Data-Filter=“rule 1 permit dst 10.160.64.0/21”
    Hillstone-User-Data-Filter=“rule2 permit dst 10.160.32.0/21”
    Calling-Station-Id="00-1c-54-ff-08-05"
  • Use the blow CLI command to send the instruction (take freeradius for example):
    root@hillstone-HVM-domU:/etc/freeradius# radclient 10.87.1.8:3799 coa 12345678 -f coa-auth.txt -x
 
2. Policies are updated on Firewall.
Step 8: User1 logs out of SSLVPN.
User1 logs out of SSLVPN, and the corresponding policies are deleted from Firewall.