Loading...

Knowledge Center


How to set up and troubleshoot Web Gateway eDirectory authentication
Technical Articles ID:   KB69994
Last Modified:  7/31/2019
Rated:


Environment

McAfee Web Gateway (MWG)

Summary

This article addresses the following topics to help you set up eDirectory authentication with McAfee Web Gateway:
  • Background – Information about how Web Gateway interacts with eDirectory
  • Configuration – Instructions to configure eDirectory authentication with Web Gateway
  • Common Issues – A list of common issues that can occur when you configure eDirectory authentication with Web Gateway
  • Troubleshooting – Tools to troubleshoot eDirectory authentication issues with Web Gateway

Solution

Background

Here is some background information to help you understand how Web Gateway interacts with eDirectory. When a user logs into their workstation using the Novell client, the NetworkAddress attribute is populated for the user on the eDirectory server. The NetworkAddress attribute is the user’s IP address stored as a hex value. The Web Gateway sends an LDAP request to the eDirectory server. The response from the server contains a list of users that are currently logged on and their NetworkAddress attribute. The Web Gateway makes these LDAP requests frequently to ensure that it has a current list, in case a new user logs on to their workstation. Web Gateway stores these values into a cache for a definable amount of time. After the cache is built with all users and their network addresses, Web Gateway can properly authenticate and authorize a user if they make a request. To determine the user’s group memberships, Web Gateway performs another LDAP request for an attribute of the user or group.

Configuration
  1. Add the Authenticate and Authorize rule set from the Rule Set Library.
    1. Navigate to Policy, Rule Sets.
    2. Click Add and select Rule Set from Library….
    3. Select the Authenticate and Authorize rule set. You will be prompted to solve some conflicts after import. Click Auto-Solve Conflicts… and choose which option is sufficient, typically Solve by referring to existing objects.
    4. Click OK after the conflicts are solved.
    Now you should have a new set of rules added to your master Rule Set.
     
  2. Customize the Authenticate and Authorize rule set. Update the rules to use the eDirectory server instead of the internal User Database.
    1. Select the rule Authenticate with User Database (in the left pane) and click Edit. The Edit Rule dialog box displays.
    2. Move to the Rule Criteria step.
    3. Select the property Authentication.Authenticate<User Database> and click Edit. The Edit Criteria dialog box displays.
    4. Update the part for Settings: (For 'Authentication'). This setting controls what source the Web Gateway will use to check against. Click Add to create another Authentication Engine.
    5. Create the eDirectory Authentication Engine. A list of the settings available for the Novell eDirectory Authentication Engine is listed below. The items in bold require changes and most others can be left unchanged.

      Authentication Method: Novell eDirectory
      Proxy Realm: This setting controls what is displayed for Proxy-Authenticate: Basic realm="". Typically customers enter the fully qualified domain name (FQDN) of their appliance.
      Authentication attempt timeout: The default is five seconds.
      Use Authentication Cache: This setting MUST be selected.
      Authentication cache entry TTL: The default is 30 minutes, but if you are just testing, two minutes might be a good value to set it at temporarily.

      LDAP server(s) to connect to: Click add and specify your LDAP server in the format ldap://IP-address:389].
      List of certificate authorities: This list applies only if you plan to use LDAPS or SLDAP.
      Credentials: Type the credentials using LDAP syntax, for example, cn=admin,ou=users,o=reno.
      Password: Type your password.
      International text support:  Retain the defaults; change it only if your environment requires it.
      Enable LDAP version 3: This setting is selected by default.
      Allow LDAP library to follow referrals: This setting is deselected by default.
      Connection live check: The default is five minutes.
      LDAP operation timeout: The default is five seconds.
      eDirectory network address attribute: The default is NetworkAddress.
      eDirectory login time attribute: The default is loginTime.
      eDirectory minimal update interval: The default is 15 seconds. This setting determines how often Web Gateway queries the eDirectory for the list of logged on users.

      Base distinguished name to user objects: Typically, McAfee recommends specifying the top of the tree (for example, o=reno). Adjust if you require the scope of the tree be limited.
      Map user name to DN: This setting is selected by default.
      Filter expression to locate a user object: The default is '(&(ObjectClass=user)(loginTime>=%u))'.
      Get user attributes: This settingis selected by default, and must be selected to determine group membership information.
      User attributes to retrieve: The default is 'cn', although most implementations use 'groupMembership' so use that instead. See the section on determining your user's 'group' attribute.
      Attributes concatenation string: The default is none. You would use this setting if you were retrieving multiple attributes.
      A good separator would be '|' (pipe). The attributes would be stored in reverse order, for example, when you try to get 'ou' and 'groupMembership', they are listed at 1 and 2 respectively, the Authentication.Attributes value would be [groupMembership]|[ou].

      Get groups attributes: This setting is deselected by default.
      Base distinguished name to group objects: Same recommendation as user objects if used.
      Filter expression to locate a group object: If using the group object, you probably don't need this setting.
      Group attribute to retrieve: 'member' is a good value to use, though the default is 'cn'.
      Attributes concatenation string: Same as above.
       
    6. Perform the Authentication Test. This setting displays the attributes for the users that are returned by the eDirectory server.
       
  3. Update the rule names to reflect what they accomplish. This prevents your configuration from getting confusing. For example, you could rename the default Rule Set from Authenticate with User Database to Authenticate with eDirectory.
     
  4. Modify the blockpage to include group information (attributes). During the testing phase, it is convenient to determine the user’s group membership quickly.
    1. Navigate to Policy, Settings.
    2. Select Authorized Only for Template Name and click Edit.
    3. Add the Authentication.Attributes property after the User name: line:
      <b>Attributes: </b>$Authentication.Attributes$<br />
    4. Save.
    Now the blockpage will include the group information, for example, Attributes: Dealers, admingroup.
Common Issues
  • Time difference: Make sure that there is not a large time difference between Web Gateway and the eDirectory server. If there is a large time difference, it could cause the LDAP request to be invalid. For example, if the time on the Web Gateway is too far in the future, it might send LDAP requests to the eDirectory server requesting all users logged in after a certain time in the future. Here is an example conversation between the Web Gateway and the eDirectory server:

    Web Gateway [Sat, 01 Aug 2020 16:00:10]: Hey eDirectory, who has logged in since Thu, 01 Jan 1970 00:00:00? Also, what is their NetworkAddress?
    eDirectory: Well, cn=admin has, his NetworkAddress is 10.10.69.7.
    Web Gateway [Sat, 01 Aug 2020 16:00:25]: Hey eDirectory, who has logged in since Sat, 01 Aug 2020 16:01:10? Also, what is their NetworkAddress?
    eDirectory: No one. That’s in the future…
    …[after the cache has expired, it will request all users again]…
    Web Gateway [Sat, 01 Aug 2020 16:30:10]: Hey eDirectory, who has logged in since Thu, 01 Jan 1970 00:00:00? Also, what is their NetworkAddress?
     
  • NetworkAddress not populated causing 'Authentication Required' block message: If the NetworkAddress attribute is not populated, Web Gateway will have no way to determine who the user is, hence the message.

Troubleshooting
  • eDirectory management tool: The following screenshots are taken from Novell’s iManager management interface. When troubleshooting any problems with eDirectory, always verify first whether these values are populated. If you find that these attributes are not populated, it is an eDirectory issue.



     
     
  • LDAP browser: Below is example output using an LDAP browser highlighting the groupMembership and NetworkAddress attributes for the user cn=Admin.




     
  • Packet tracing (tcpdump or Wireshark): Below is an example packet capture taken when Web Gateway requests all currently logged in users since epoch time. The filter it applies is (&(ObjectClass=user)(loginTime>=%u), where %u is the time that the Web Gateway queried the LDAP server for who has logged on. It also requests two attributes, NetworkAddress and loginTime.



    Below is an example response to the request above. There are two results (cn=sgoers and cn=Admin), only one that returns a NetworkAddress attribute (the 'Admin' user). 

     
     
  • (Optional) Retrieving multiple attributes and use of concatenation: Below is an example usage of retrieving multiple attributes and how it can be used. In the example, we retrieve the attributes ou and groupMembership. They are stored in the 'Authentication. Attributes' property in the reverse order in which they are retrieved. So, Authentication.Attribute = attribute[2]|attribute[1] with the concatenation string being the pipe '|'.



 

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.