IN THIS PAGE
Active Directory Authentication Tables
Active Directory Authentication as an Authentication Source
User information tables serve as the authentication source for information required by firewall security policies. The device supports local and Active Directory authentication. .
The integrated user firewall feature gathers user and group information for Active Directory authentication by reading domain controller event logs, probing domain PCs, and querying Lightweight Directory Access Protocol (LDAP) services within the configured Windows domain. Up to two Windows domains are supported.
From the user and group information, the integrated user firewall feature generates an Active Directory authentication table on the Routing Engine of the device, which then pushes the authentication table to the Packet Forwarding Engine. Security policies use the information in the table to authenticate users and to provide access control for traffic through the firewall.
Active Directory Authentication Tables
The Active Directory authentication table contains the IP address, username, and group mapping information that serves as the authentication source for the integrated user firewall feature. Information in the table is obtained by reading Windows Active Directory domain controller event logs, probing domain PCs, and querying LDAP services within a specified Windows domain.
Reading domain controller event logs generates a list of IP address-to-user mapping information that is used to create entries in the Active Directory authentication table. Once entries have been added in the table, a query is sent to the LDAP server for user-to-group mapping information.
In addition to IPv4, IPv6 traffic can match any security policy configured for source identity.
When user traffic arrives at the device, the Active Directory authentication table is searched for an entry corresponding to the source IP address of the traffic to authenticate the user. The device can also search for an entry in the local authentication table, if an entry is not found in the Active Directory authentication table.
The device supports use of IPv6 and IPv4 addresses associated with source identities in security policies. If an entry exists, policies matching that entry are applied to the traffic and access is allowed or denied.
The LDAP server returns all group information; this includes not only information about the groups you directly belong to, but also all the parent (and parent of the parent and so on) groups that you belong to. Group information returned from the LDAP server is compared with the source identity in security policies. If there is a match, Active Directory authentication table entries are updated to include only the group information provided in the security policy. In this way, only relevant group information is listed in the authentication table. Whenever source identity is updated, the authentication table is also updated to reflect the up-to-date relevant group information for all listed users.
The integrated user firewall feature for both Active Directory authentication and ClearPass authentication will manage up to 2048 sessions for each user for whom there is a user identity and authentication entry in the authentication table. There might be additional sessions associated with a user beyond the 2048 supported sessions, but they are not managed by integrated user firewall. When an authentication entry in an authentication table is deleted, integrated user firewall only closes sessions that are associated with that entry. It will not close sessions that it does not manage. That is, sessions that are not associated with the authentication entry are not closed.
Table 1 lists Active Directory authentication table support for NFX devices. Platform support depends on the Junos OS release in your installation.
Table 1: Active Directory Authentication Table Support for NFX Series Devices
Device | Active Directory Authentication Table Entries | Domains | Active Directory Controllers |
|---|---|---|---|
NFX150 | 500 | 1 | 5 |
Once the maximum number of authentication table entries is reached, no additional entries are created.
To be compliant with the Active Directory authentication table, entries must adhere to the following parameters:
Usernames are limited to 64 characters.
Group names are limited to 64 characters.
Each entry can be associated with up to 200 relevant groups (configured in the source identity field). For example, if you belong to 1000 groups in LDAP and out of these, no more than 200 groups are configured in the source identity field, you are compliant with the Active Directory authentication table.
The Active Directory authentication table must be enabled as the authentication source for integrated user firewall information retrieval in the Windows Active Directory environment. Use the following statement for that purpose:
The priority option specifies the sequence in which user information tables are checked. Using the lowest setting for the Active Directory authentication source specifies the highest priority, meaning that the Active Directory authentication source is searched first.
State Information for Active Directory Authentication Table Entries
Active Directory authentication table entries can be in one of four states:
For a list of probe responses, see Understanding Integrated User Firewall Domain PC Probing .
To display Active Directory authentication entries, along with their state information, use the following command:
Domain: www.example1.net
Total count: 3
Source IP Username Groups State
2001:db8::1:1 u2 r1, r3, r4 initial
192.168.10.3 u3 r5, r6, r4 pending
2001:db8::2:1 u4 r3, r4 initial
Domain: www.example2.net
Total count: 2
Source IP Username Groups State
10.1.1.2 u4 r1, r3, r4 valid
10.1.1.3 u5 r5, r6, r4 invalid
Command options allow you to display information by user or group, and to define additional output levels—brief, domain, extensive, node.
Active Directory Authentication Table Management
Windows domain environments are constantly changing as users log in and out of the network and as network administrators modify user group information. The integrated user firewall feature manages changes in the Windows domain by periodically reading domain controller event logs and querying the LDAP server for user-to-group mapping information. That information is used in updating the Active Directory authentication table as appropriate.
Additionally, a probe function is provided to address changes that occur between reading event logs, or to address the case where event log information is lost. An on-demand probe is triggered when client traffic arrives at the firewall but a source IP address for that client cannot be found in the table. And at any point, manual probing is available to probe a specific IP address
Changes to the Active Directory Authentication table also occur due to source identity changes in the security policy configuration.
Table 2 describes events that trigger an Active Directory authentication table update.
Table 2: Events Triggering Active Directory Authentication Table Updates
Event | Active Directory Authentication Table Update |
|---|---|
A domain controller event log is read at configured intervals. | New IP address-to-user entries are added in the authentication table in initial state. Group information is retrieved from the LDAP server. When the authentication entry is pushed to Packet Forwarding Engine, the state is changed to valid. |
An on-demand or manual probe is sent to a domain PC. | An entry is added in the authentication table in pending state. If a probe response is not returned within 90 seconds, the state of the entry is deleted. |
An on-demand or manual probe response is received from a domain PC. | Based on the response, entries in pending state are changed to valid or invalid. For valid responses, the group information is retrieved from the LDAP server. For invalid responses, the entry is marked as invalid. |
An LDAP server query identifies new user-to-group mapping information. | Entries are updated with the group information. |
An LDAP server query identifies deleted user information. | Entries associated with that user are deleted from the table. |
An LDAP server query identifies deleted group information. | The affected group information is updated. For example, user2 belongs to group2, and group2 belongs to group1. And, group1 is listed as a source-identity for group2. For any authentication entry of user2, group1 is listed in its relevant groups. However, if group2 is removed from the LDAP server, user2 loses the connection with group1, and as a result, group1 is removed from the user2 authentication table. |
An LDAP server query identifies added group information. | If the group is referenced in a security policy, entries associated with this group are updated to add the group information. |
The source identity information is removed from a security policy configuration. | Entries associated with the source identity are deleted from Active Directory authentication table. |
If an entry is deleted from the table, any sessions attached to that entry are also deleted. If an entry in the table is updated to add or remove group information, there is no impact to existing sessions for that entry.
When you use the CLI to delete an Active Directory authentication entry, the system closes the related session and writes a session-close message to the log file. However, the session-close message does not contain the source identity information for the user, that is, the user and user group information.
To manually delete an entry from the table, use the request services user-identification active-directory-access active-directory-authentication-table command. Options exist for deleting a specific IP address, domain, group, or user.
To clear the contents of the Active Directory authentication table, use the clear services user-identification active-directory access active-directory-authentication-table command.
Timeout Interval for Table Entries
When a user is no longer active, a timer is started for that user’s entry in the Active Directory authentication table. When time is up, the user’s entry is removed from the table. Entries in the table remain active as long as there are sessions associated with the entry.
To set the timeout value, use the following statement:
The default authentication-entry-timeout interval is 30 minutes. To disable timeouts, set the interval to 0.
We recommend that you disable timeouts when disabling on-demand probing in order to prevent someone from accessing the Internet without logging in again.
To view timeout information for Active Directory authentication table entries, use the following command:
Domain: www.example1.net Total entries: 2 Source IP: 192.168.1.2 Username: u2 Groups: r1, r3, r4 State: initial Access start date: 2014-03-22 Access start time: 10:56:58 Age time: 20 min Source IP: 192.168.1.3 Username: u3 Groups: r5, r6, r4 State: pending Access start date: 2014-03-22 Access start time: 10:46:58 Age time: 10 min
This example shows that the timer has started for two entries—the entry for user u2 will time out in 20 minutes, while the entry for user u3 will time out in 10 minutes. When session traffic is associated with an entry, the age time value changes to “infinite.”
Timeout Setting for Invalid Authentication Entries
You can protect invalid user authentication entries in an authentication table from expiring before the user can be validated by configuring a timeout setting that is specific to invalid entries. The invalid authentication entry timeout setting is separate from the common authentication entry timeout setting that is applied to valid entries.
Authentication entries in both the Windows Active Directory authentication table and the NFX Series ClearPass authentication table contain a timeout value after which the entry expires. The invalid entry could expire before the user’s identity could be validated. Here is what could cause that event to occur in each case:
Windows Active Directory uses a mechanism to probe an unauthenticated user’s device for user identity authentication information based on the IP address of the device. It is not uncommon for Windows to trigger a WMI probe that fails because it occurs before the user logs in. After an unsuccessful probe, the system generates an entry in the authentication table with an INVALID state for the IP address of the device. If you configured a value for the invalid timeout setting, that timeout is applied to the entry. If you did not configure a value for the invalid entry timeout setting, then its default timeout of 30 minutes is applied.
The invalid authentication entry timeout setting is separate from the common authentication entry timeout setting that is applied to valid entries.
For the NFX Series ClearPass feature, if an unauthenticated user attempts to join the network and the IP address of the user’s device is not found—that is, it is not in the Packet Forwarding Engine—the NFX Series device queries Aruba ClearPass for the user’s information. If the query is unsuccessful, the system generates an INVALID authentication entry for the user. If you configured a value for the invalid timeout setting, that timeout is applied to the entry. If you did not configure the invalid entry timeout, then its default timeout of 30 minutes is applied to the new entry.
The invalid entry timeout is also applied to entries whose state is changed from valid or pending to INVALID.
You configure the timeout setting to be applied to invalid authentication entries in the Windows Active Directory authentication table and the NFX Series ClearPass authentication table separately. If you do not configure a timeout setting, the invalid authentication entry timeout default value of 30 minutes is applied. The application and effect of the timeout value is determined differently for these authentication sources.
How the Invalid Authentication Entry Timeout Works for Windows Active Directory
Use the following command to configure the invalid authentication entry timeout setting for entries in the Windows Active Directory authentication table. In this example, the invalid authentication entry timeout value is set to 40 minutes. That timeout value is applied to new invalid entries.
The timeout value is also applied to existing invalid entries but within the context of the current timeout value assigned to them and the timeout state. Suppose that the authentication table contains existing invalid entries to which an invalid authentication entry timeout setting or the default was previously applied. In this case, the new invalid entry timeout setting has effect on the timeout for these entries, but in a different way. For these entries, the original timeout setting—the time that has expired since the original timeout value was applied–and the new timeout setting collude to produce the resulting timeout value that is applied to the existing entry.
As Table 3 shows, in some cases the resulting timeout is extended, in some cases it is shortened, and in some cases it causes the original timeout to expire and the invalid authentication entry to which is applies to be deleted.
Table 3: How New Invalid Authentication Entry Timeout Settings Affect Timeout Settings for Existing Invalid Entries in the Active Directory Authentication Table
Original Invalid Entry Timeout Setting for Existing Entry | Elapse Time | New Invalid Entry Timeout Configuration Setting | Resulting Timeout Setting for Existing Invalid Entry |
|---|---|---|---|
20 minutes | 5 minutes | 50 minutes | 45 minutes |
50 minutes | 10 minutes | 20 minutes | 10 minutes |
50 minutes | 40 minutes | 20 minutes | Timeout expired and entry is removed from the authentication table |
40 minutes | 20 minutes | 0 | 0 |
Just as the new invalid timeout entry is imposed on that of old invalid entries, producing various and unique results, a new invalid entry is subject to the same rules and effects when the invalid entry timeout value is changed.
How the Invalid Authentication Entry Timeout Works for NFX Series Aruba ClearPass
Use the following command to configure the invalid authentication entry timeout for entries in the NFX Series ClearPass authentication table. In this example, invalid authentication entries in the NFX Series ClearPass authentication table will expire 22 minutes after they are created.
When you initially configure the invalid authentication entry timeout value for ClearPass, it is applied to any invalid authentication entries that are generated after it was configured. However, all existing invalid authentication entries retain the default timeout of 30 minutes.
If you do not configure the invalid authentication entry timeout setting, the default timeout of 30 minutes is applied to all invalid authentication entries.
If you configure the invalid authentication entry timeout setting and delete it later, the default value is applied to new invalid authentication entries generated after the deletion. However, any existing invalid authentication entries to which a configured value had been applied previously retain that value.
If you change the setting for the invalid authentication entry timeout value, the new value is applied to all invalid authentication entries that were created after the value was changed. However, all existing invalid authentication entries retain the former invalid authentication entry timeout setting applied to them. Those entries to which the default value of 30 minutes had been applied previously retain that setting.
When the pending or valid state of an entry is changed to invalid, the invalid authentication entry timeout setting is applied to it.
When the state of an invalid authentication entry is changed to pending or valid, the invalid authentication entry timeout setting is no longer applicable to it. The timeout value set for the common authentication entry timeout is applied to it
Table 4 shows how a new invalid entry timeout value affects new and existing invalid entries.
Table 4: How New Invalid Authentication Entry Timeout Settings Affect Timeout Settings for Invalid Entries in the ClearPass Authentication Table
Invalid Entry Timeout Setting | Intial Invalid Entry Timeout Setting | Elapse Time | New Invalid Entry Timeout Configuration Setting | Final Timeout Setting for Existing Invalid Entry |
|---|---|---|---|---|
New invalid authentication entry | 50 | 50 | ||
Existing invalid entry timeout | 20 | 5 | 50 | 15 |
Existing invalid entry timeout | 0 | 40 | 20 | 0 |
Existing invalid entry timeout | 40 | 20 | 0 | 20 |