3 Replies Latest reply on Jul 9, 2015 4:16 AM by lnurmi

    NGFW 5.9 Active directory schema script for external user authentication.

    gueutzilla

      Hello,

       

      We have recently configured the NGFW 5.9 to offer a remote access via VPN IPSec for our users.

      We have successfull enable local authentication for external users based on Active Directory group using a test radius server.

       

      So in our configuration we need to authenticate the users directly on the Active Directory server to control access in Firewall policies and allow some protocols based on user or group policies.

       

      I have read a lot of documentations and if I understand, we need to modified the Active directory schema to integrate some new classes and attributes for sguser and sggroup right? (McAfee Next Generation Firewall 5.9.0)

       

      In some old documentations ( Schema Updates for External LDAP Servers ) you say that there is a scrip called SG_AD.ldif in <installation directory>/samples/LDAPSamples/LDAP/ directory but we are unable to find this script to import new schema classes and attributes.

       

      So where can we download this script or how can we create these new classes and attributes to enable external Active Directory athentication and create policies rules based on user or AD group?

       

       

      Thanks a lot for your help.

       

      Regards.

        • 1. Re: NGFW 5.9 Active directory schema script for external user authentication.
          lnurmi

          Hi,

           

          the LDIF file should be in that folder in your SMC installation directory. But to clarify, you do not need to modify the schema to be able to use AD users and groups in your firewall policies. Modifying the schema only allows you to set a separate password for AD users through SMC (stored in the sgpassword attribute).

           

          Since you have the authentication working, I assume you have integrated the AD to your SMC i.e. you can browse the users with your Management Client. At that point you can use groups and users in your policies, in either the src/dst or Authentication cells of the rules. Once a user has authenticated to the firewall with a browser or VPN client, their connections can match the rules that include users/groups.

           

          If you wish to match these rules also to users who do not authenticate to the firewall, you would need to install and integrate the McAfee Logon Collector. It collects domain logins from e.g. domain controllers and provides those user-to-IP mappings to the NGFW, so it can match connections to rules with users/groups in src/dst cells.

           

          BR,

          Lauri

          • 2. Re: NGFW 5.9 Active directory schema script for external user authentication.
            gueutzilla

            Hi and thanks for your reply.

             

            I can'nt find the ldif file in my smc folder installation... I think the script was removed in latest version of SMC.

             

            So instead of authenticate users directly with "User password" method on LDAP server, we used the radius autentication with AD groups and we have deployed the MLC.

             

            This solution seems to be working...

             

            Regards,

            Gwen

            • 3. Re: NGFW 5.9 Active directory schema script for external user authentication.
              lnurmi

              Hi, seems the file is indeed not there at least in SMC 5.9 installation, maybe same thing for new 5.8 installation too (I only have an upgraded 5.8 installation to check from now). Pure LDAP authentication with LDAP bind is not supported currently, RADIUS and TACACS+ are. No plans for LDAP bind authentication currently that I know of, you can file a product enhancement request for it at https://mcafee.acceptondemand.com if you want. BR, Lauri