You are here: Cookbook > Authentication > Allowing Internet Access via User Authentication

Allowing the Internet Access via User Authentication

This example shows how to use Web authentication (WebAuth). An AAA server is required in this example to confirm the identity of a user.

The topology describes the scenarios of the case. In this scenario, only user 1 passes the authentication, and then accesses the Internet; while other users fail to pass the authentication, and they are not allowed to access the Internet.

Step 1: Configuring the user and address book

Select Object > User > Local User. Under Local Server, click New > User.

  • Name: user1
  • Password: 123456
  • Confirm Password: 123456

Select Object > Address Book > New.

  • Name: addr

  • Member: Select IP/Netmask, enter 192.168.1.2, 32, and click Add

Step 2: Configuring the interface and zone  

Select Network > Interface, and double click ethernet0/0.

  • Binding Zone: Layer 3 Zone

  • Zone: trust

  • Type: Static IP

  • IP Address: 192.168.1.1

  • Netmask: 24

Select Network > Interface, and double click ethernet0/1.

  • Binding Zone: Layer 3 Zone

  • Zone: untrust

  • Type: Static IP

  • IP Address: 221.224.30.130

  • Netmask: 20

Step 3: Configuring Web Authentication

Select Network > WebAuth > WebAuth, and select the Enable check box

  • Basic Configuration:
    • HTTP Port: 8181
  • Authentication Mode: Password

After the above configurations, continue to create policy rules in Security Policy to make WebAuth effective. Click Policy Template for reference.

Step 4: Configuring Security Policy

Click the "Security Policy" quick link on the bottom of the Web authentication page or select Policy > Security Policy, and click New.

  • Name: DNS
  • Source
    • Zone: Any
    • Address: Any
  • Destination
    • Zone: Any
    • Address: Any
    • Service: DNS
    • Action: Permit

 

Click New, and create the “Web-auth”policy.

  • Name: Web-auth
  • Source
    • Zone: Any
    • Address: addr
  • Destination
    • Zone: Any
    • Address: Any
    • Action: Secured connection
    • WebAuth: local

Click New, and create the “user” policy. Specify the source user who is allowed to access the Internet.

  • Name: user
  • Source
    • Zone: Any
    • Address: Any
    • User: user1
  • Destination
    • Zone: Any
    • Address: Any
    • Action: Permit

Step 5: Triggering WebAuth through HTTP requests

After the above configurations, when there are HTTP requests sent from the interface 192.168.1.2/32, user1 will be prompted to authenticate by entering the username/password (user1/123456) before accessing the Internet.

Step 6: Triggering WebAuth through HTTPS requests

Export the certificate from the device.

Select System > PKI > Trust Domain Certificate.

  • Trust Domain: trust_domain_ssl_proxy
  • Content: CA Certificate
  • Action: Export

Click OK to export the certificate.

Import the certificate to client's Web browser.

  1. In the Chrome Web browser, select Settings > Show advanced settings.
  2. In the HTTPS/SSL section, select Manage certificates.
  3. In the Trusted Root Certification Authorities tab, select Import.
  4. Follow the wizard to import the certificate.
After the above configurations are finished, when there are HTTPS requests sent from the interface 192.168.1.2/32, user1 will be prompted to authenticate by entering the username/password (user1/123456) before accessing the Internet.
Note: Triggering WebAuth through HTTPS requests depends on the feature of SSL proxy . If the device does not support the SSL proxy. Triggering WebAuth through HTTPS requests will not work and you can then trigger WebAuth through HTTP requests.