WebAuth Example

This section describes a typical WebAuth configuration example.

In this example, WebAuth user access control is demonstrated. It allows only user1 who is authenticated using WebAuth to access Internet. All other accesses are denied. The WebAuth server is the local AAA server named local.

Take the following steps:

Step 1: Create a user.

1. Select Objects > Local User from the menu bar.
2. In the Local User dialog, select local from the Local server drop-down list, and click New > User.
3. In the User Configuration dialog, configure as follows:
   • Name: user1
   • Password: 123456
   • Confirm password:123456
4. Click OK to save your settings.
5. In Local User dialog, select local from the Local server drop-down list, and click New > User group.
6. In the User Group Configuration dialog, configure as follows:
   • Name: usergroup1
   • Available: user1
   • Selected: user1
7. Click OK to save your settings.

Step 2: Create a role and a role mapping rule.

1. Select Objects > Role from the menu bar.
2. In the Role dialog, click New > Role.
3. In the Role Configuration dialog, type role1 into the Role name box, and then click OK.
4. In the Role dialog, click New > Role Mapping.
5. In the Role Mapping Configuration dialog, configure as follows:
   • Name: role-mapping1
   • Member: Select role1, usergroup, usergroup1 in turn, and then click Add
6. Click OK to save the settings and return to the Role Mapping Configuration dialog.
7. Click OK in the Role Mapping Configuration dialog.

Step 3: Configure an address entry and AAA server.

1. Select Objects > Address Book from the menu bar.
2. In the Address Book dialog, click New.
3. In the Address Entry Configuration dialog, configure as follows:
   • Name: addr_book
   • Member: Select and type IP/netmask, 192.168.1.1, 16 in turn, and then click Add

4. Click OK to save your settings, and then close the Address Book dialog.
5. Select Objects > AAA Server from the menu bar.
6. In the AAA Server dialog, select local from the list, and then click Edit.
7. In the Local Server Configuration dialog, select role-mapping1 from the Role mapping rule drop-down list.
8. Click OK to save your changes.
9. In the AAA Server dialog, click OK to save your settings.

Step 4: Configure interfaces and zones.

1. On the Navigation pane, click Configure > Network > Network to visit the Network page.
2. Select ethernet0/0 from the interface list, and click Edit. In the Interface Configuration dialog, configure the options as below:
   • Binding type: Layer 3 zone
   • Zone: trust
   • Type: Static IP
   • IP address: 192.168.1.1
   • Netmask: 16
3. Click OK to save the changes and return to the Network page.
4. Select ethernet0/1 from the interface list, and click Edit. In the Interface Configuration dialog, configure the options as below:
   • Binding type: Layer 3 zone
   • Zone: untrust
   • Type: Static IP
   • IP address: 66.1.200.1
   • Netmask: 16
5. Click OK to save the changes and return to the Network page.

Step 5: Configure policy rules.

1. On the Navigation pane, click Configure > Security > Policy to visit the Policy page.
2. Click New and in the Policy Configuration dialog, configure options as follows:
   • Src zone: trust
   • Dst zone: untrust
   • Src address: Any
   • Dst address: Any
   • Service: DNS
   • Action: Permit
3. Click OK to save your settings. System creates a policy rule, and its ID is 1.
4. Click New and in the Policy Configuration dialog, configure options as follows:
   • Src zone: trust
   • Dst zone: untrust
   • Src address: addr_book
   • Dst address: Any
   • Service: Any
   • Source user: Click Multiple and in the Role/User/User Group Configuration dialog, select Role and specify the role name as role1
   • Action: Permit
5. Click OK to save your settings. System creates a policy rule, and its ID is 2.

Step 6: Configure WebAuth function.

1. On the Navigation pane, click Configure > Network > WebAuth to visit the WebAuth Parameter Configuration page.
2. Click Edit to enter into the edit mode. Modify according to your need:
   • Mode: HTTP
   • HTTP port: 8181
3. Click OK to save your settings.
4. On the Navigation pane, click Configure > Security > Policy to visit the Policy page.
5. Click New and in the Policy Configuration dialog, configure the options as below:
   • Src zone: trust
   • Dst zone: untrust
   • Src address: addr_book
   • Dst address: Any
   • Service: Any
   • Source user: Click Multiple and in the Role/User/User Group Configuration dialog, select Role and specify the role name as UNKNOWN
   • Action: WebAuthlocal
6. Click OK to save your settings.