Authentication

Published on December 2016 | Categories: Documents | Downloads: 58 | Comments: 0 | Views: 455
of 45
Download PDF   Embed   Report

Comments

Content

Authentication

March 2003

Authentication 1

Objectives
When you have completed this module
you will be able to the following:







Describe authentication options
Configure NTLM authentication
Configure Kerberos authentication
Add users
Create groups
Edit groups

March 2003

Authentication 2

What is Authentication?
• Authentication determines a user's identity
• NetCache can authenticate Web requests
• NetCache allows use of:
– NetCache user database
– RADIUS
– LDAP
– NTLM with Kerberos.
• Authentication can be used in conjunction with access control to:
– enforce local security domains
– allocate resources
– control bandwidth requirements
– provide use records
– enforce content control

What is authentication?
Authentication is the process of determining a user's identity so that the user becomes
known to the system. NetCache allows you to require authentication for Web requests
from clients using certain protocols, such as HTTP, FTP, NNTP and so on. NetCache
also allows you to specify how that authentication is performed--for example, whether
against the local NetCache user database, against a RADIUS database, or using the
Microsoft Windows Kerberos protocol server.
In addition to verifying a user's identity to prevent rogue clients from accessing the
NetCache appliance, authentication can also be used in conjunction with access control to
enforce local security domains, allocate resources, control bandwidth requirements,
provide records used in protection against lawsuits (through logged data), and enable
enforcement of values through content control.
Authentication represents a class of functionality that is growing in demand among
NetCache customers and prospects. It represents the ability of (often large) organizations
to identify exactly what user is requesting what content. This information can then be
used for a variety of purposes, from archival logging, to content filtering, to time and
content-based access control. Traditionally, users accessing an authenticated cache must
enter their user name and password at the beginning of each browser session. The
name/password pair is then sent (usually unencrypted) to the proxy, which can then
verify the user's identity locally or by consulting an LDAP or RADIUS server.

March 2003

Authentication 3

Setup > Authentication > General

Authentication – General
You can specify which protocol requires authentication and the authentication database to
be used. NetCache supports the following user databases:


NetCache local user and group database (on NetCache)



LDAP (Light Duty Authentication Protocol)



RADIUS (Remote Authentication Dial-In User Service)



NTLM (NT Lan Manager) with Kerberos

Refer to Online Help for specific configuration information.

March 2003

Authentication 4

Authentication Forwarding
Setup > Authentication > General

config.auth.forward = 192.56.19/24..CIDR
or
config.auth.forward = 192.56.19/255.255.255.0
or
config.auth.forward = 192.56.19.0/255.255.255.0

March 2003

Authentication 5

Group Permissions

Group Permissions
Options on the Setup > Authentication > Groups page are used to add, edit, and delete
groups. Additionally, these options enable you to specify authorization for access to some
protocols but restrict access to others (for example, some groups can use HTTP and FTP
but not Gopher).
Note: System administrators cannot access the NetCache Manager utility unless the
NetCache user database contains at least one user name and password. NetCache
provides a default of admin for the user name and NetCache for the password.
The default user name and password are case-sensitive.
The NetCache group and user databases are maintained on the NetCache appliance.
Refer to Online Help for specific configuration information.
.

March 2003

Authentication 6

Defining New Groups
The New Group button is used to create a group and add it to the NetCache user database.
Refer to Online Help for specific configuration information.

March 2003

Authentication 7

Add Users

Newuser 123abc

Add Users
Options on the Setup > Authentication > NetCache Users page are used to configure
the NetCache user database. These options are used to specify group memberships, edit
existing users, and remove users from the database.
Refer to Online Help for specific configuration information.

March 2003

Authentication 8

Authentication Options






NetCache user (and group) database
LDAP
RADIUS
NTLM (NT LAN Manager)
Kerberos (Windows 2000)

NetCache user database

The native NetCache user database provides local
authentication for users and administrators (clear-text
authentication).

LDAP authentication
server

Lightweight Directory Access Protocol (LDAP)
databases are commonly used as employee directory
databases. You can enable NetCache to retrieve user and
group data from an existing LDAP server to perform
clear-text authentication.

RADIUS authentication
server

Remote Authentication Dial-in User Service (RADIUS)
was originally used to authenticate people logging in to
the network through a modem to remote points of
presence (POPs). You can enable NetCache to retrieve
user data from an existing RADIUS server to perform
clear-text authentication. (RADIUS does not support
groups.)

NTLM (NT LAN
Manager)

NTLM supports NT domain access to the Microsoft
Windows authentication environment. NTLM (in true
mode) performs authentication using an encrypted
challenge-and-response sequence between NetCache and
a Windows domain controller. NTLM can be used for

March 2003

Authentication 9

clear-text authentication when used with a browser other
than Microsoft Internet Explorer.
Kerberos (Windows 2000)

Kerberos is the native authentication protocol for
Windows 2000 domain access. Kerberos authentication
is based on a shared secret key distribution model in
which NetCache validates tickets presented by the client
(user).

March 2003

Authentication 10

LDAP Server
• Can reduce workload of maintaining user accounts
• Network load can add authentication delay
• Can only authenticate to one server
• Can only authenticate user, NOT administrators
• Cannot use LDAP if you restrict type of requests
(e.g., protocol specific)
• NetCache 5.0 and later requires LDAP Version 3

Lightweight Directory Access Protocol (LDAP) server to
authenticate users
If you already have an LDAP server providing user authentication for your network, you
can point NetCache to this server and use it to authenticate users for NetCache. Using an
LDAP server to authenticate users for NetCache significantly reduces the workload of
maintaining a user database for NetCache, especially if your network has several
cooperating NetCache Appliances installed. Without LDAP, if you want user
authentication, you must maintain a separate user database on each NetCache system.
Authenticating NetCache users with an LDAP server delays a user's web request each
time the user is authenticated (at most, once per hour). The amount of delay for the user
depends on your network load.
You can only authenticate users and groups through LDAP. Authentcating admin access
locally ensures that the administrator will have access even when LDAP is down.

March 2003

Authentication 11

How the NetCache LDAP client works
If you enable protocol authentication for one or more protocols and point NetCache to
use an LDAP server, NetCache restricts access for the authenticated protocols to those
users authorized in the LDAP database. That is, all users in the LDAP database are
authorized to use the NetCache authenticated protocols.
If you need to configure NetCache to allow users to make only some types of requests,
you must use the NetCache User Administration feature.
If you configured your NetCache system to authenticate users with an LDAP server,
NetCache prompts each user for a user name and password. When the user supplies the
information, NetCache requests the LDAP server to authenticate the user.

March 2003

Authentication 12

NTLM Authentication
H
M
TL
N

TP
HT

P
TT

Internet Explorer
or Media Player

NetCache
SMB / NTLM

NetScape

Origin
Server

WinNT, Win2K in
non-native mode

PDC

NTLM (NT LAN Manager) Authentication
Microsoft has created provisions for Microsoft Internet Explorer (MSIE) users to be
authenticated by Microsoft Proxy Server (MSPS) without requiring the user to input a
password every time a browser session is started. This is called “single sign-on.” Single
sign-on depends upon Windows' tendency to maintain persistent password state about the
user currently using the machine. When a user signs on to an NT domain, the user name
and password are kept locally for later use. As applications encounter the need to prove
the identity of the user to another machine, the application can request that the user name
and password to transparently complete the log on process.
The specifics of this technique as implemented by various versions of Windows are
collectively known as NTLM (NT LAN Manager) challenge/response. The NTLM signon transaction normally happens when a user logs on to a workstation, or when a user
signs on to a CIFS (Common Internet File System) share. It is also the same transaction
used between the proxy server and PDC (Primary Domain Controller) when the proxy
wants to authenticate someone.
Netscape does not support NTLM authentication. MSIE running on Mac (or Unix)
doesn't support it either. MSPS can be configured to accept "basic" (clear text)
user/password pairs from these clients, and will then authenticate this with the PDC,
using NTLM as before.

March 2003

Authentication 13

Any browser can send a basic (clear text) credential to the cache, which will then turn it
into an encrypted NTLM request and send it to the PDC.

March 2003

Authentication 14

NTLM Authentication
H
M
TL
N

TP
HT

P
TT

Internet Explorer
or Media Player

NetCache
SMB / NTLM

NetScape

Origin
Server

WinNT, Win2K in
non-native mode

PDC

March 2003

Authentication 15

Setup > Authentication >
NTLM and Kerberos
One page with four tabs
– General
– Domain Controllers
– Join Domain
– Test Environment

Use the options on the Setup > Authentication > NTLM and Kerberos page tabs to
enable NTLM and Kerberos protocol support, to join the Microsoft Windows 2000 and
Windows NT domains, and to test the Windows NT4 environment.

March 2003

Authentication 16

Setup > Authentication >
NTLM and Kerberos
One page with four tabs
– General
– Domain Controllers
– Join Domain
– Test Environment

March 2003

Authentication 17

Setup >
Authentication >
NTLM and
Kerberos
General Tab

General tab
Allows you to enable or specify general NTLM and Kerberos options, such as:


NTLM and Kerberos as authentication methods



Caching of NTLM challenges for reuse for a period



Selected interfaces for registration with Windows Internet Name Service (WINS)



NTLM warning level

March 2003

Authentication 18

General Tab – CLI Equivalent
• Authentication protocol options






config.auth.ntlm.cache
config.auth.ntlm.enable
config.auth.ntlm.basic_machine
config.auth.ntlm.warning_level
config.auth.kerb.enable

• Other miscellaneous options
– config.auth.windows.wins_ifaces

March 2003

Authentication 19

Setup > Authentication > NTLM and Kerberos
Domain Controllers Tab

Domain Controllers tab
For Microsoft Windows NT or for Microsoft Windows 2000, specifies the domain
controller (DC) to be used by this appliance for joining the domain. In addition to
standard methods:


For Windows NT, allows you to order the list of domain controllers returned by
WINS and to specify the DC using a method that does not use WINS



For Windows 2000, allows you to specify the means of gaining access to the domain
services without using Domain Name Services (DNS)

March 2003

Authentication 20

Domain Controllers Tab –
CLI Equivalent
• Windows NT Domain Options
– config.auth.windows.pdc
– config.auth.windows.bdc
– config.auth.windows.prefdc
• Windows 2000 Domain Options
– config.auth.windows.dc
– config.auth.windows.ldap
– config.auth.windows.kdc
– config.auth.windows.kpasswd

March 2003

Authentication 21

Setup > Authentication > NTLM and Kerberos
Join Domain Tab

• GUI interface to the windows_setup CLI
command
• No registry settings
• All values commit to CIFS

Join Domain tab
Specifies information required to join either a Windows 2000 domain or a Windows NT
domain:


Domain name



Machine name



WINS server IP address



Windows 2000 administrator user name and password

March 2003

Authentication 22

Joining a Windows 2000 Domain
Without DNS

March 2003

Authentication 23

DNS and Kerberos in
Windows 2000


DNS and Kerberos used together to






identify hosts
group them by service

SRV records in DNS map service-type to name-list
Four service categories:
1.
2.
3.
4.

LDAP
Kerberos Key Distribution Center
Kerberos administration
SMB (DC)

March 2003

Authentication 24

DNS Override Settings
• One for each SRV record type





config.auth.windows.dc
config.auth.windows.ldap
config.auth.windows.kdc
config.auth.windows.kpasswd

• DC and LDAP settings require (hostname, IPaddress) pairs
• KDC and KPASSWD settings require
hostname and optionally port number

March 2003

Authentication 25

Example 1 – Domain Join using
DNS
• Setup > DNS > General
– Put only MS DNS servers in list
– Commit
• Setup > Authentication > NTLM and Kerberos >
Join Domain
– Enter domain name, machine name, admin user
and password
– Commit

• NetCache will join the specified domain

March 2003

Authentication 26

Example 2 – Domain Join without
DNS
• Setup > Authentication > NTLM and Kerberos
• Domain Controllers
– In KDC and KPASSWD lists enter ip-addr[:port]
– In DC and LDAP, enter name:ip-addr
• name must be a machine name that is listed in the domain

– Commit

• Join Domain
– Enter domain name, machine name, Admin user and
password
– Commit

March 2003

Authentication 27

Notes
• These options are NetCache only
• Usually, all services exported by the same
server
– Still have to fill in all of them

• Choose servers that are close by
• Can (and should) use external DNS for origin
server name resolution
– Be careful about collision between internal names
and external names

March 2003

Authentication 28

Remote Authentication Dial-In
User Service (RADIUS)
• Does not support group authentication
• Does not enable you to allow access for
users to some protocols and deny
access to other protocols

March 2003

Authentication 29

Remote Authentication Dial-In
User Service (RADIUS)

Remote Authentication Dial-In User Service (RADIUS)
Options on the Setup > Authentication > RADIUS page enable NetCache to retrieve
user data from an existing RADIUS server directory. The RADIUS server authenticates
users, grants administrative access, and applies NetCache permission settings to RADIUS
users.
Refer to Online Help for specific configuration information.

March 2003

Authentication 30

Authentication Exercises
• NTLM and Kerberos Configuration
• Set up Kerberos Authentication with
Windows 2000
• NTLM Statistics and Warnings Exercise
• Configure NetCache to locate
authenticating server without DNS

March 2003

Authentication 31

Authentication Exercises





30 minutes in length
Use breakout rooms
Instructor will visit all rooms
Broadcast announcement 5 minutes
prior to regroup
• Stay focussed, start telnet, start GUI
• Share microphones, or no one else can
be heard

March 2003

Authentication 32

Authentication NetCache Exercise
Objectives
When you have completed this module, you will be able to do the following:


Configure authentication through the NetCache



Create Groups



Add users



Restrict access to NetCache to specific groups



Setup NTLM and Kerberos Authentication



Configure ACLs to Control Access by Windows Users



Configure NetCache to locate authenticating server without DNS

Exercise Overview
The purpose of this activity is for you to gain experience in managing NetCache and
setting up user and group authentication. During these exercises, you will be guided
through each step in the process, and you will have an opportunity to verify that each step
was successfully completed.

Time Estimate: 30 minutes
Required Hardware, Software, and Tools
Hardware


Workstation



NetCache machine

Software


Windows 2000



NetCache 5.4 or later



Netscape Navigator 4.7



Internet Explorer 5.5 or later

March 2003

Authentication 33

Setup Authentication Exercise
1.

Open NetCache Manager.

2.

Select Setup > Authentication > General.

3.

Select Authenticate HTTP Requests.

4.

Commit changes.

5,

What will this selection do?

6.

Since we are now using the NetCache user database for authentication, make
NetCache User Database the first option in the Authentication-Checking
Order.

7.

Commit changes.

8.

Regardless of the authentication methods employed, why should NetCache
User Database be included in the list?

March 2003

Authentication 34

Add New NetCache Group
Create a group and add members as follows:
1.

Open NetCache Manager.

2.

Select Setup > Authentication > Groups.

3.

Select the Groups tab and click on the New Group button.

4.

Enter a name for your new group.

5.

Select the access permissions for your new group. We recommend at least
HTTP.

6.

Commit changes.

7.

Select Setup > Authentication > NetCache Users.

8.

Ensure that your new group is displayed under Group Memberships.

March 2003

Authentication 35

Configure New User Account
If you enable protocol authentication, you must specify which users are authorized to
make requests of NetCache and which protocol each user is authorized to use. Add users
to the NetCache user database as follows:
1.

Open NetCache Manager.

2.

Select Setup > Authentication > NetCache Users

3.

Click the Add Users

4.

Enter a user using the following format:
username

5.
6.
7.
8.
9.

password

Assign your new user to the new group you created.
Click Add Users.
Select Add.
Close all browser clients.
Try to access a network URL from your web browser.
Were you asked for the user name and password?

10.
11.

Open a web browser and configure your NetCache as proxy for your browser.
Try accessing some URLs, including http://www.hotmail.com.
What happened and why?

12.
13.

Reconfigure your browser proxy to connect directly to the Internet.
Try accessing some URLs. What happened and why?

March 2003

Authentication 36

NTLM and Kerberos Configuration
This exercise has been written for a Windows 2000 Active Directory Domain. If you
enable NTLM authentication, you must add the NetCache to the Active Directory as a
new computer.
1.
2.

Open NetCache Manager.
Ensure the following configurations are correct:
Date, time, time zone all match the Domain Controller.
Setup > System > Clock
DNS Nameserver for the NetCache is 10.32.70.10.
Setup > DNS > General
PDC - Internal 10.32.70 10 External 64.94.95.10
DNS domain name is the same as Windows domain name. Should be
netapp.com

3.
4.
5.
6.
7.
8.

Select Setup > System > Feature Selector.
Scroll to Authentication Methods:
Ensure that the checkbox beside NTLM and Kerberos is checked.
Select Setup > Authentication > General.
Select Authenticate HTTP Requests and commit changes.
Scroll to Authentication Checking Order and configure
1. Appliance database
2. NTLM
3. None

9.

4. None:
Commit changes.

1.

March 2003

Authentication 37

Set up Kerberos Authentication with Windows 2000
This exercise will allow you to configure the NetCache appliance to use Windows 2000
Kerberos authentication. The first section will guide you through the configuration using
the NetCache Manager and the following section using the command line interface.
The procedures for this exercise are identical to the NTLM exercise. The steps of the
NTLM exercise are repeated here with the variations noted for you.
1.
2.

Open NetCache Manager.
Ensure the following configurations are correct:


Date, time, time zone all match the Domain Controller.



DNS Nameserver for the NetCache is 10.32.70.10.



DNS domain name is the same as Windows domain name. Should be
“demo.netapp.com”

Select Authentication Method
3.

Select Setup > System > Feature Selector..

4.

Scroll to Authentication Methods

5.

Be sure that the checkbox beside NTLM and Kerberos is checked.

6.

Access the NetCache Manager.

Join the domain
6.

Open the Join Domain tab.

7.

Enter DEMO.NETAPP.COM in the Name of the Windows domain to join
text box.

8.

Enter the name of your assigned NetCache appliance in the Name of the
appliance in the domain database text box.

9.

Leave the WINS information blank (we are not using WINS).

March 2003

Authentication 38

10.

Enter the following information into the Windows Administrator Credentials:
text boxes:
User: administrator
Password:

11.

cslab

Commit the changes.

Enable NTLM and Kerberos
Select Setup > Authentication > NTLM and Kerberos.
12.

Test the configuration
Close all browser windows for both Internet Explorer and Netscape
13.
Navigator.
14.
15.

Ensure that you are logged on as Administrator
Open an Internet Explorer window.
Because Kerberos (failing over to NTLM) is checking your credentials from
your logon, you should not be challenged for a username and password.

16.

Open a Netscape window.
You should be challenged for a username and password, because Netscape is
not a Microsoft product and it cannot use Kerberos credentials, however it
can authenticate with the domain controller once you type in the correct
responses.

17.

Your responses are:
Username:

Administrator

Password:

passwd

You should now be logged onto the browser through NetCache Kerberos
authentication (failing over to NTLM if necessary).
18.

Use Internet Explorer to access any URL.

March 2003

Authentication 39

19.

What happened? And why was there a difference between using Internet
Explorer and Netscape?

End of NTLM and Kerberos configuration exercise

March 2003

Authentication 40

NTLM Statistics and Warnings Exercise
The exercise is intended to give you an opportunity to examine the new NTLM statistics
and warnings
Windows status and statistics
Access the command line for your NetCache appliance.
1.
2.
3.

Enter show status.windows*
Observe the information displayed.

NTLM warning level
Determine the current NTLM warning level by entering:
4.
netcache>show config.auth.ntlm.warning_level
5.

To reduce the number of messages change the warning level to 1
netcache>set config.auth.ntlm.warning_level 1

6.

Verify your change:
netcache>show config.auth.ntlm.warning_level

End of NTLM Statistics and Warnings Exercise

March 2003

Authentication 41

ACLs to Control Access by Windows Users
1.
2.

Access the NetCache Manager and ensure that http is going to be
authenticated (Setup -> Authentication) or do this through the CLI.
Create a global ACL that denies access to a particular website.
Example: deny url “http://www.abc.com”

3.

Create another ACL that specifically permits access for one of your two new
users.
Example:
allow user april and url-prefix http://www.abc.com”
deny url-prefix “http://www.abc.com”

4.
5.
6.

Log in as the new unique user, the one that has unlimited http access. Using
IE, accessing this website as this user should be allowed, transparently.
Close all browsers.
Open and use the new user without access.

End of ACLs to Control Access by Windows Users Exercise

March 2003

Authentication 42

Configure NetCache to locate authenticating server without DNS
This exercise will allow you to configure the NetCache appliance to join a Windows
domain without using DNS to resolve domain controller addresses.
1.

.Open NetCache Manager

.
Disable DNS
Select Setup > DNS > General.
2.
3.
4.

Remove the name server entry, or change it to any address other than
10.41.72.25 (the DNS server).
Access the NetCache Manager.

Configure Domain Controller Addresses
Select Setup > Authentication > NTLM and Kerberos.
5.
6.

Open the Domain Controllers tab

7.

Enter pdc:10.32.69.10 in the Windows 2000 Domain Controllers (overrides
DNS) text box.

8.

Enter pdc:10.32.69.10 in the Windows 2000 LDAP servers (overrides DNS)
text box.

9.
10.
11.

Enter 10.32.69.10 in the Windows 2000 KDCs (overrides DNS) text box.
Enter 10.32.69.10 in the Windows 2000 kpasswd servers (overrides DNS)
text box.
Commit the changes.

Test the configuration
Close all browser windows for both Internet Explorer and Netscape
12.
Navigator.

March 2003

Authentication 43

13.
14.

Ensure that you are logged on as Administrator
Open a Netscape window.

15.

Note that since DNS is disabled, the browser will be unable to resolve the
default homepage (if one appears it is in the browser’s cache).

16.

Point the browser to your NetCache appliance. Log into the appliance if
prompted to do so. Your responses are:

17.

Username:

admin

Password:

NetCache

You will be prompted for a network password. Your responses are:
User name: Demo\cslab
Password:

passwd

What happened? Was your login accepted?

End of Authentication Exercises

March 2003

Authentication 44

March 2003

Authentication 45

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close