-
Cisco ACNS Software Configuration Guide for Locally Managed Deployments, Release 5.2
-
Title
-
Preface
-
Chapter 1: Introduction
-
Chapter 2: Understanding the Basics
-
Chapter 3: Getting Started
-
Chapter 4: Deployment Scenarios for Standalone Content Engines
-
Chapter 5: Configuring Transparent Redirection for Standalone Content Engines
-
Chapter 6: Configuring Conventional Caching Services for Standalone Content Engines
-
Chapter 7: Configuring WMT Streaming Media Services on Standalone Content Engines
-
Chapter 8: Configuring RTSP Media Services on Standalone Content Engines
-
Chapter 9: Configuring Content Authentication and Authorization on Standalone Content Engines
-
Chapter 10: Configuring URL Filtering on Standalone Content Engines
-
Chapter 11: Configuring ICAP on Standalone Content Engines
-
Chapter 12: Configuring the Rules Template on Standalone Content Engines
-
Chapter 13: Configuring Primary and Backup Proxy Servers for Standalone Content Engines
-
Chapter 14: Configuring Advanced Transparent Caching Features on Standalone Content Engines
-
Chapter 15: Configuring Additional Network Interfaces and Bandwidth on Standalone Content Engines
-
Chapter 16: Configuring Login Authentication and Authorization on Standalone Content Engines
-
Chapter 17: Configuring AAA Accounting on Standalone Content Engines
-
Chapter 18: Creating and Managing IP Access Control Lists for Standalone Content Engines
-
Chapter 19: Viewing and Modifying TCP Stack Parameters on Standalone Content Engines
-
Chapter 20: Monitoring and Troubleshooting
-
Appendix A: Content Engine GUI Menu Options
-
Appendix B: Reference Material for Standalone Content Engine Deployments
-
Table Of Contents
Configuring Content Authentication and Authorization on Standalone Content Engines
About Authentication and Authorization of Content Requests
Supported Content Authentication and Authorization Methods
Authenticating Web Clients Through Pass-Through Authentication
Authenticating Web Clients Through HTTP Request Authentication
Understanding Proxy Server Mode HTTP Request Authentication
Understanding Transparent Mode HTTP Request Authentication
Configuring HTTP Request Authentication
Configuring RADIUS Authentication of HTTP Requests
Configuring TACACS+ Authentication of HTTP Requests
Configuring LDAP Authentication of HTTP Requests
Example of Configuring LDAP Authentication of HTTP Requests
Understanding the Structure of the LDAP Database
Querying LDAP Servers for User Membership Information
Searching for User Account Information for Individuals in an LDAP Database
Searching for User Account Information for LDAP Direct Static Groups
Searching for User Account Information for LDAP Nested Static Groups
Configuring NTLM Authentication of HTTP Requests
About NTLM Load Balancing for HTTP Request Authentication
Configuring the Content Engine to Use NTLM Servers for HTTP Request Authentication
Configuring a List of Allowed Domains List NTLM HTTP Request Authentication
Configuring the Authentication Method Control for NTLM HTTP Request Authentication
Displaying the Current NTLM Configuration for Standalone Content Engines
Displaying the NTLM Statistics for Standalone Content Engines
Configuring Group-Based Authorization for Standalone Content Engines
Configuring Access Lists on Standalone Content Engines
Example of Configuring LDAP Group Authorization with Access Lists
Example of Configuring NTLM Group Authorization with Access Lists
Configuring Content Engines for Active Directory Group Searches
Examples of Configuring Content Engines to Support Active Directory Group Searches
Disabling Group Name-Based Access Lists
Configuring the LDAP Acceptable Use Policy Feature
Configuring the LDAP Password Expiration Feature
Configuring End-to-End Authentication for HTTP Requests
Basic End-to-End Authentication
NTLM End-to-End Authentication
Configuring Pass-Through Authentication for WMT Requests
Configuring Content Authentication and Authorization on Standalone Content Engines
This chapter describes how to configure content authentication and authorization on standalone Content Engines that are running ACNS software, Release 5.2 or later. Content authentication and authorization controls whether an end user (a client browser) can access the requested content that is served through the Content Engine.
Another type of authentication and authorization mechanism, login authentication and authorization, is used to configure the Content Engine to control the privilege levels that are granted to an administrative user who logs in to the Content Engine for administrative purposes (configuring, monitoring, or troubleshooting the Content Engine). Content authentication and authorization is independent of login authentication and authorization. For information about administrative login authentication and authorization, see "Configuring Administrative Login Authentication and Authorization on Standalone Content Engines."
Note
Throughout this chapter, the term "HTTP request" is used to refer collectively to requests over HTTP that include HTTP, FTP-over-HTTP, and HTTPS-over-HTTP requests.
This chapter contains the following sections:
•
•
•
•
•
•
Note
About Authentication and Authorization of Content Requests
As organizations extend the use of web applications and Internet access to their employees, they are confronted with the following challenges:
•
•
Organizations can use content authentication and authorization to address these concerns. For example, organizations can use HTTP request authentication (content authentication) as a mechanism to restrict access to online content. If HTTP authentication is configured on a standalone Content Engine, the Content Engine checks with an external authentication, authorization, and accounting (AAA) server for user password authentication to determine if the user should be granted or denied access to the requested content. See Figure 9-1.
Figure 9-1 HTTP Request Authentication and Group-Based Authorization
Note
Request authentication and authorization deal with any end user request that is going through the Content Engine. With request authentication and authorization, the Content Engine is verifying the end user. In contrast, end-to-end authentication and caching of authenticated objects deals with authentication for a particular object, and it is the origin server and not the Content Engine that verifies the end user.
For request authentication, ACNS supports LDAP, NTLM, TACACS+, and RADIUS. For request authorization, ACNS 5.x supports group-based access control lists (ACLs). In ACNS 5.2 software, group-based rules were also added and can be used for group-based authorization. With these features, you can require that end users who are making an HTTP request must be authenticated by an external AAA server, and then authorized by the configured ACLs or Rules Template.
The Rules Template feature allows you to configure a set of rules, each clearly identified by an action and a pattern or a group of patterns that a standalone Content Engine uses to filter HTTP requests (HTTP traffic) as well as HTTPS, MMS, and RTSP traffic. If you have enabled rules processing on a Content Engine (that is, enabled the Rules Template feature on the Content Engine and configured rules for the Content Engine), the Content Engine checks every incoming client request to determine if a rule pattern matches the requested content. If a rule pattern matches the given request, the Content Engine uses the specified action (policy) to handle this incoming traffic.
In ACNS 5.2 software, three new rule patterns were added (groupname, username, and groupname-regex). These new rule patterns support access control policies that are based on the group name and username of the authenticated NTLM and LDAP users. Rules based on group names apply to users who have been authenticated through NTLM and LDAP. Rules based on usernames apply to users who are authenticated through LDAP, NTLM, RADIUS, and TACACS+, which are request authentication mechanisms that involve a username for authentication.
For example, the following shows how to enable rule processing on the Content Engine using the rule enable global configuration command and then configure the Content Engine to block all end users in the Engineering group from downloading FTP URLs (FTP requests from a client browser) that contain the expression "java."
ContentEngine(config)# rule enableContentEngine(config)# rule pattern-list 1 group-type andContentEngine(config)# rule pattern-list 1 groupname EngineeringContentEngine(config)# rule pattern-list 1 url-regex javaContentEngine(config)# rule action block pattern-list 1 protocol ftp
Note
Another area of access control is the caching of authenticated content. That is, if the website requires client authentication before passing an object to the client, and the object is cached on the Content Engine, then the Content Engine should also authenticate the client before delivering the object to another client. This type of object is called "authenticated content."
Supported Content Authentication and Authorization Methods
Content authentication and authorization can be implemented through various protocols, as summarized in Table 9-1.
Table 9-1 Content Authentication and Authorization Methods Supported by ACNS Software, Release 5.2 or Later)
HTTP request authentication
RADIUS
TACACS+
LDAP
NTLM
Group-based authorization
Configuring Group-Based Authorization for Standalone Content Engines
End-to-end authentication
Basic
Microsoft NTLM
Pass-through authentication
for WMT requests
End-to-end authentication is authentication that occurs between the client and the origin server. Pass-through authentication is how the Content Engine handles end-to-end authentication. With pass-through authentication, the Content Engine passes through the authentication request and response between the client and the origin server without examining such requests and responses.
The following two types of content access controls are supported by standalone Content Engines:
•
•
Note
Authenticating Web Clients Through Pass-Through Authentication
The HTTP protocol itself has three ways to authenticate end users (web clients) who issue an HTTP request for content that is served through the Content Engine:
•
•
•
Note
Pass-through authentication is used when clients request access to content on a website that requires clients to authenticate themselves (that is, clients must enter their username and password in a popup login window) before the content is sent to requesters. The Content Engine, which is between the client and the website (either through proxy-configuration or transparent interception methods), ought not to hinder this client authentication. In order to support this authentication exchange between the client and the web server, the Content Engine must pass the authentication exchange between the client and the web server (it must "tunnel" the authentication exchanges).
Occasionally a website uses the client's IP address to authenticate a client. This is typically used in older web servers and is not the preferred solution for client authentication. However, for such older websites there must be a way for the Content Engine "to get out of the way" between the client and the web server so that the client can be authenticated. The authentication traffic bypass feature can be used in these cases. For information on this topic, see the "Configuring Authentication Traffic Bypass on Standalone Content Engines" section.
Note
Authenticating Web Clients Through HTTP Request Authentication
HTTP request authentication is used when the Content Engine communicates with an external AAA server to authenticate the client who is requesting content. This type of authentication is used to allow or prevent a client from accessing the Internet at all. For example, BigCorp may want to limit Internet access to its employees and not allow their temporary employees to access the web.
In this case, the Content Engine is located at the Internet gateway of BigCorp and can be used to enforce this policy. When the Content Engine receives a client request to access content that is served through the Content Engine, the following occurs:
1.
2.
3.
a.
b.
Note that in ACNS 5.x software, you can specify which groups of users are allowed to access the Internet and which groups are not allowed. In this case, the Content Engine asks the AAA server not only whether clients are who they claim to be but also which groups they belong to. The Content Engine then performs the appropriate actions based on the responses from the AAA server. This type of access control is referred to as "HTTP request authentication," and controls what content the client can access through the Content Engine. ACNS 5.x software supports the LDAP, NTLM, RADIUS, and TACACS+ protocols, which are used by common AAA servers. (See Table 9-1.)
In the case of NTLM, HTTP request authentication authenticates a user's domain, username, and password with a preconfigured primary domain controller (PDC) before allowing the requests from the user to be served by the Content Engine.
In ACNS 5.2 software, the ability to specify the list of domains that are allowed to perform NTLM HTTP request authentication through the Content Engine was added.
With an HTTP query, the Content Engine obtains a set of credentials from the user (user ID and password) and compares them against those in the authentication server database. When the Content Engine authenticates a user through an authentication server, a record of that authentication is stored locally in the Content Engine RAM (authentication cache). As long as the authentication entry is kept, subsequent attempts to access restricted Internet content by that user do not require authentication server lookups.
The Content Engine supports HTTP request authentication for both proxy mode and transparent (WCCP) mode access.
•
•
If you are using HTTP request authentication in transparent mode or NTLM in either transparent or proxy mode, we recommend that the AuthTimeout interval configured with the http authentication cache timeout global configuration command be short, because the key for the Content Engine's authentication cache is the client's IP address. IP addresses can be reallocated, or different users can access the Internet through an already authenticated device (PC, workstation, and the like). Shorter AuthTimeout values help reduce the possibility that individuals can gain access using previously authenticated devices. In ACNS 5.2 software, an absolute timeout configuration option was introduced with the http authentication cache ttl global configuration command. This absolute timeout can also be configured to help reduce the possibility of individuals gaining access by using previously authenticated browsers. For more information, see the "Specifying a Reauthentication Interval" section.
Understanding Proxy Server Mode HTTP Request Authentication
In some cases, users are located at branch offices. A Content Engine (CE1) can reside with them in the branch office and be configured in proxy mode. Another Content Engine (CE2) in proxy mode or another HTTP-compatible proxy device can reside upstream, with a TACACS+, RADIUS, NTLM, or LDAP server available to both Content Engines or proxy devices for login authentication.
Note
If branch office user 1 accesses the Internet, and content is cached at CE1, then this content cannot be served to any other branch office user unless that user is authenticated. CE1 must authenticate the local users.
Assuming that both CE1 and CE2 are connected to the server and authenticate the users, when branch office user 2 firsts requests Internet content, CE1 responds to the request with an authentication failure response (either HTTP 407 if in proxy mode, or HTTP 401 if in transparent mode). User 2 enters the user ID and password, and the original request is repeated with the credentials included. CE1 contacts the HTTP request authentication server to authenticate user 2.
Assuming authentication success, and a cache miss, the request along with the credentials is forwarded to CE2. CE2 also contacts the authentication server to authenticate user 2. Assuming authentication success, CE2 either serves the request out of its cache or forwards the request to the origin server. (This credential forwarding capability is not configured by default. If you want credential forwarding, you must explicitly configure it through the http append proxy-auth-header host CE2ipaddress global configuration command.)
User 2 authentication information is now stored in the authentication cache in both CE1 and CE2. Neither CE1 nor CE2 needs to contact the authentication server for user 2's subsequent requests (unless user 2's entry expires and is removed from the authentication cache).
This scenario assumes that CE1 and CE2 use the same method for authenticating users. Specifically, both Content Engines must expect the user credentials (user ID and password) to be encoded in the same way.
Tip
When the Content Engine is operating in proxy server mode and is configured for HTTP request authentication, the following events occur if one of the following two scenarios is true: (1) the Content Engine receives a proxy-style request directly from a client, or (2) the Content Engine receives a WCCP-redirected request and the Content Engine http authentication header global configuration command option is set to 407 (Proxy Authorization Required) because there is an upstream proxy.
1.
2.
3.
4.
5.
6.
7.
8.
Understanding Transparent Mode HTTP Request Authentication
When the Content Engine is operating in transparent mode, the user IP address is used as a key to the authentication cache. The Content Engine will always first look for an X-Forwarded-For header, then the source IP address. Consequently, use the http append x-forwarded-for-header global configuration command to configure the append x-forwarded-for header on the Content Engine named CE1 so that the Content Engine named CE2 will be able to see the client's IP address instead of just the IP address of CE1.
Note
In a topology with two Content Engines, assume that CE1 is operating in transparent mode and CE2 is operating in proxy mode, with the browsers of all users pointing to CE2 as a proxy.
Because the browsers are set up to send requests to a proxy, an HTTP 407 message (Proxy Authorization Required) is sent from CE1 back to each user to prompt for credentials. By using the 407 message, the problem of authenticating based on source IP address is avoided. The username and password can be used instead.
This mode provides better security than using the HTTP 401 message. The Content Engine examines the style of the address to determine whether there is an upstream proxy. If there is, the Content Engine uses an HTTP 407 message to prompt the user for credentials even when operating in transparent mode.
When the Content Engine is operating in transparent mode and is configured for HTTP request authentication, the following events occur if either of the following is true: (1) the Content Engine receives a redirected request from a client, or (2) the http authentication header global configuration command option is set to 401 (Unauthorized) because there is no upstream proxy.
1.
2.
3.
4.
5.
6.
7.
8.
In transparent mode, the Content Engine uses the client IP address as a key for the Content Engine authentication cache.
Configuring HTTP Request Authentication
You can configure one of the following authentication and authorization methods to control HTTP request authentication on a standalone Content Engine:
•
•
•
•
Note
Usage Guidelines
When configuring HTTP request authentication on a standalone Content Engine, note the following important points:
•
•
•
•
•
•
Note
For ACNS 5.x software, the radius-server authtimeout option and the ldap authcache max-entries and ldap authcache auth-timeout options have been removed and are now configurable through the http authentication cache max-entries and timeout commands, respectively. The ldap client auth-header option has been removed and is now configurable through the http authentication header command. The multi-user-prompt has been removed and replaced by the http avoid-multiple-user-prompts option. In addition, the radius-server command option exclude has been removed. The rule no-auth domain command replaces radius-server exclude; however, there is no replacement available for the multi-user-prompt option. The ldap server command has the following added options: enable and version.The Content Engine uses simple (nonencrypted) authentication to communicate with an LDAP authentication server.
•
–
–
–
–
These additional authentication servers act as backup authentication servers and will only be used when the primary authentication server is not available. If the Content Engine cannot connect to any of the authentication servers, no authentication takes place, and users who have not been previously authenticated are denied access.
•
–
–
•
In this example, the host for the LDAP server is configured:
ContentEngine(config)# ldap server host www.someDomain.com port 390In this example, the host for the RADIUS authentication server is configured:
ContentEngine(config)# radius-server 172.16.90.121
Note
For information on the various types of HTTP request authentication methods supported by a standalone Content Engine, see the following sections:
•
•
•
•
Configuring RADIUS Authentication of HTTP Requests
RADIUS authentication clients reside on the Content Engine running ACNS 5.x software. When enabled, these clients send authentication requests to a central RADIUS server that contains user authentication and network service access information.
When the Content Engine communicates with a RADIUS authentication server, the RADIUS server requires that the RADIUS client (Content Engine) to be registered. Additionally, the RADIUS client and server use the secret key. This secret key has to be configured on both the RADIUS server and RADIUS client (Content Engine); the RADIUS client uses this RADIUS key to encrypt and decrypt authentication packets.
Note
To configure RADIUS authentication for HTTP requests on a standalone Content Engine, follow these steps:
Step 1
Step 2
•
•
The redirect option of the radius-server global configuration command redirects an authentication response to a different authentication server if an authentication request using the RADIUS server fails. The following example enables the RADIUS client on the Content Engine, specifies an external RADIUS server, specifies the RADIUS key, accepts retransmit defaults, and excludes the domain name mydomain.net from RADIUS authentication.
ContentEngine(config)# radius-server enableContentEngine(config)# radius-server host 172.16.90.121ContentEngine(config)# radius-server key myradiuskeyContentEngine(config)# rule enableContentEngine(config)# rule no-auth domain mydomain.net
Note
The configuration is displayed and verified with the show radius-server and show rule all EXEC commands.
ContentEngine# show radius-serverRadius Configuration:---------------------Radius Authentication is onTimeout = 5Retransmit = 3Key = ****Servers-------IP 172.16.90.121 Port = 1645 State: ENABLEDContentEngine# show rule allRules Template Configuration----------------------------Rule Processing Enabledrule no-auth domain mydomain.net
Note
Configuring TACACS+ Authentication of HTTP Requests
When the Content Engine communicates with a TACACS+ authentication server, the same secret key (for example, tackey) has to be configured on the TACACS+ server and each of the TACACS+ clients (Content Engine, routers, and so forth) that want to communicate with this TACACS+ server.
ContentEngine(config)# tacacs key "tackey"The TACACS+ server uses this common client key to encrypt or decrypt. The TACACS+ authentication server does not require that the TACACS+ client be registered.
The TACACS+ database validates users before they gain access to a Content Engine. TACACS+ is derived from the United States Department of Defense (RFC 1492) and is used by Cisco Systems as an additional control of nonprivileged and privileged mode access. ACNS 4.1 or later software supports TACACS+ only and not TACACS or Extended TACACS.
To configure TACACS+ authentication for HTTP requests on a standalone Content Engine, follow these steps:
Step 1
ContentEngine(config)# tacacs server ip_addr [primary]This example shows how to specify a specific TACACS+ server as a primary server.
ContentEngine(config)# tacacs server 172.16.50.1 primaryThis example shows how to specify a specific TACACS+ server as a backup server. This can be achieved by not specifying the primary option.
ContentEngine(config)# tacacs server 172.16.50.2Step 2
ContentEngine(config)# tacacs key key
Step 3
For example, configure the Content Engine to wait 15 seconds before declaring a timeout if it has not received a response from the TACACS+ server.
ContentEngine(config)# tacacs timeout 15Step 4
For example, configure the Content Engine to retransmit only one time to the TACACS+ server if a TACACS+ timeout occurs.
ContentEngine(config)# tacacs retransmit 1Step 5
For example, use ASCII clear text as the mechanism by entering the ascii keyword.
ContentEngine(config)# tacacs password asciiStep 6
ContentEngine(config)# tacacs enable
Note
Configuring LDAP Authentication of HTTP Requests
To address the issue that the X.500 protocol Directory Access Protocol (DAP) was too complex for many directory implementations, the University of Michigan developed the Lightweight Directory Access Protocol (LDAP). LDAP is a directory service protocol that is simpler than the TCP/IP-based version of DAP, and can be used to access information directories.
A standalone Content Engine can be configured to restrict user Internet access by using an LDAP server for authentication purposes, which provides most of the services of the X.500 protocol with less complexity and overhead.
Note
Typically, an LDAP client (the Content Engine) queries an LDAP server and obtains the user's credentials such as user's account expiration, privileges, and group membership from the remote LDAP directory on an OpenLDAP or third-party LDAP server. In ACNS software, Release 5.1 or later, the Content Engine can also authenticate and authorize a user who is configured in a remote Active Directory user database on a Microsoft Active Directory server.
Figure 9-2 shows how the Content Engine (an LDAP client) works with any of the following types of servers to perform LDAP authentication of HTTP requests:
•
•
•
Note
Figure 9-2 LDAP Authentication of HTTP Requests in Proxy Mode
Note
The Active Directory group attribute is an LDAP Version 3 extension. Consequently, the Content Engine must use LDAP Version 3 to query a Microsoft Active Directory server separately for this information.Table 9-2 lists the features that are supported on the different types of LDAP servers (shown in Figure 9-2). An "x" indicates support of a particular feature.
When you configure LDAP authentication of HTTP requests, keep these important points in mind:
•
•
•
–
–
ContentEngine(config)# ldap server enableldap server version 3–
–
ContentEngine(config)# ldap server retransmit 3–
–
–
ContentEngine(config)# ldap server base dc=cisco,dc=com–
–
–
–
Use the ldap server host {hostname | hostipaddress} primary global configuration command to designate an LDAP server as the primary server. Specify the IP address or host name of the primary LDAP server.
Use the ldap server host {hostname | hostipaddress} secondary global configuration command to designate an LDAP server as the secondary server. Specify the IP address or host name of the primary LDAP server.
This example shows how to specify two LDAP servers as primary and secondary HTTP request authentication servers:
ContentEngine(configure)# ldap server 172.16.1.1 primaryContentEngine(configure)# ldap server 172.16.1.2 secondary
Note
–
Note
Table 9-3 lists the Content Engine's default configuration for LDAP authentication of HTTP requests.
Example of Configuring LDAP Authentication of HTTP Requests
The following example describes how to use the Content Engine CLI to configure LDAP authentication of HTTP requests on a standalone Content Engine.
Step 1
ContentEngine(config)# ldap server host 10.1.1.1Step 2
Figure 9-2 shows that the LDAP client on the Content Engine can send LDAP Version 2 or Version 3 requests to an OpenLDAP server or a third-party LDAP server. However, the Content Engine must use LDAP Version 3 to communicate with a Microsoft Active Directory server. By default, the Content Engine uses LDAP Version 2. To change this default, use the ldap server version 3 global configuration command.
ContentEngine(config)# ldap server version 3Step 3
ContentEngine(config)# ldap server enableStep 4
These search criteria are passed to the LDAP server, which uses these criteria to search through its user database. The LDAP server retrieves the user's password for authentication. If the user is authenticated, then the LDAP server searches through its database for the requested user membership information, and returns this information to the Content Engine.
Search criteria can include such information as the group attribute (for example, organizationUnit or Active Directory), the name of the user identification (UID) attribute, and the starting point of the search. You can also specify a filter (for example, "objectclass=users") to restrict the scope of the database search. If the Content Engine is configured for group-based authorization, then the Content Engine will use the retrieved group names to perform group-based authorization for authenticated users. For more information on group-based authorization through access lists, see the "Configuring Group-Based Authorization for Standalone Content Engines" section.
In order to specify the search criteria, you must understand the structure of the user database being queried. For example, the Content Engine by default will request that the authentication server search its database for organizational unit (ou) group membership.
Note
The organizational unit option and the Active Directory option are independent parameters. You can configure a Content Engine to search a Microsoft Active Directory server database for organizational unit group membership as well as Active Directory group membership.You can change this default. The following example shows how to configure the Content Engine to query a Microsoft Active Directory server for only the Active Directory group membership and not the organizational unit group membership for authenticated users.
Content Engine(config)# ldap server group active-directory enableThe following sample output shows that the Content Engine is now configured to search the Microsoft Active Directory server database for Active Directory group membership (memberOf) for authenticated users:
ContentEngine# show ldapLDAP Configuration:-------------------LDAP Authentication is enabledAllow mode: disabledBase DN: "DC=cisco,DC=com"Filter: <none>Retransmits: 2Timeout: 5 secondsUID Attribute: uidGroup Attribute:organizationUnit: disabled (ou)Custom Attribute: disabledActive Directory: enabled (memberOf)
Note
You can also configure the Content Engine to perform group-based authorization after a user has been successfully authenticated. If the Content Engine is configured for group-based authorization, then the Content Engine checks its access lists to determine whether the groups that the authenticated user belongs to should be granted or denied access to the requested content. Based on the results of this LDAP group-based authorization, the Content Engine grants or denies user access to the requested content (see Figure 9-1).
In order for LDAP group-based authorization to occur, you must have completed the following prerequisite tasks on the Content Engine:
•
•
Understanding the Structure of the LDAP Database
In order to configure the LDAP client on the Content Engine to query a remote user database, you must understand the structure of the user database being queried.
LDAP database entries are arranged in a hierarchical directory tree that reflects logical or geographic boundaries. The LDAP directory has the following structure. (See Figure 9-3.).
•
•
•
•
Figure 9-3 LDAP Database Structure
Note
An LDAP directory can contain such information as text, photographs (JPEGs), URLs, binary data, and public key certificates.
About LDAP User Database Entries
An entry in an LDAP user database (an LDAP directory) is a collection of attributes that has a name, called a distinguished name (dn). Each of the entry's attributes has a type, name, and one or more values.
•
•
•
The following example shows the complete database entry for Jane Smith in an OpenLDAP or third-party LDAP server database.
# Jane Smith, cisco, comdn: cn=Jane Smith,dc=cisco,dc=comtelephoneNumber: (408) 123-9100mail: jsmith50@cisco.comuid: jsmith50givenName: Janesn: Smithcn: Jane SmithThe following example shows the complete entry for Jane Smith in a Microsoft Active Directory server database.
# Jane Smith, cisco, comdn: CN=Jane Smith,DC=cisco,DC=commemberOf: CN=Users,DC=cisco,DC=comtelephoneNumber: (408) 123-9100mail: jsmith50@cisco.comuid: jsmith50givenName: Janesn: Smithcn: Jane SmithAn entry in an LDAP user database is referenced by its distinguished name (dn). A distinguished name is constructed by taking the name of the entry itself and concatenating the names of its ancestor entries in the hierarchical directory structure of the LDAP database. For example, if the common name (cn) is "Jane Smith" and this individual belongs to the organization named "cisco," then the distinguished name for this LDAP directory entry is:
•
•
About User Groups in an LDAP Directory
An LDAP directory can contain groups of users that are part of an LDAP group (for example, groups named "Marketing" and "Engineering"). An LDAP group is a list, a collection of names. An LDAP group has an objectclass attribute of groupOfNames, and consists of one or more members. (A group cannot be empty.)
As part of an LDAP database search, the LDAP server can be instructed to retrieve the group names of the authenticated user. The Content Engine uses the retrieved group names and its group name-based access lists to perform group-based authorization for these LDAP users.
Note
There are multiple ways to support LDAP grouping in a user database:
•
•
•
The method that the database administrator used to group users in a database determines how you must configure the Content Engine to query that database for user membership information. For examples of how to use the CLI to configure the Content Engine to perform LDAP directory queries, see the "Querying LDAP Servers for User Membership Information" section.
In LDAP Version 3, groups can be defined as static, dynamic, or organizationUnit (organizational units). The groups can be nested. ACNS software, Release 5.1 or later supports static and organizationUnit groups; it does not support dynamic groups.
Grouping LDAP Users into Organizational Units
When the LDAP server administrator groups LDAP users based on organizational units (for example, "Marketing"), the administrator can assign a user to any group, and can nest groups. An organizational unit is synonymous with a native LDAP group. This method is also referred to as native LDAP group configuration. All conventional LDAP Version 3 servers support native LDAP group configuration in the user database.
By default, the Content Engine is configured to query an LDAP server for organizational unit group membership. The following example shows the two entries in the LDAP database that are used to assign the LDAP user named "Penny Gold" to the organizational unit named "Marketing."
In the first database entry, the LDAP server administrator defines the group node for the organizational unit named "Marketing."
dn: cn=Marketing,dc=cisco,dc=comcn: Marketingobjectclass: groupOfNamesIn the second database entry, the administrator defines the individual node for Penny Gold. This node contains all of Penny Gold's user membership information.
# Penny Gold, marketing, cisco, comdn: cn=Penny Gold,ou=Marketing,dc=cisco,dc=comtelephoneNumber: (408) 123-4444mail: pgold@cisco.comuid: pgoldgivenName: Pennysn: Goldcn: Penny GoldBecause Penny Gold's organizational unit (ou) is specified as "Marketing," she is assigned the group privileges of this particular group. If you have configured the Content Engine for group-based authorization (for example, configured an access list that permits the members of the Marketing group to access content that is served through the Content Engine). And when the Content Engine has authenticated Penny Gold, it will grant her access to the requested content because she is a member of the Marketing group.
Based on the above database structure, the following example shows how you would configure the Content Engine to query this database for user membership information for such users as Penny Gold. The server with an IP address of 172.16.1.1 (an OpenLDAP server or the third-party LDAP server) is instructed to start the database search at the node named "Marketing," to search for the user identification (user name and user password), and to retrieve the group names of the authenticated user.
ContentEngine(config)# ldap server 172.16.1.1ContentEngine(config)# ldap server userid-attribute uidContentEngine(config)# ldap server organizationUnit enableContentEngine(config)# ldap server base "dc=cisco,dc=com"ContentEngine(config)# ldap server enableBecause the organizationUnit option is enabled, the LDAP server queries the database for the organizationUnit configuration (ou attribute) of the user account. If the user belongs to more than one organizational unit, the LDAP server will return a string that contains all of the group names to which the user belongs. If the Content Engine is configured for LDAP group-based authorization, it uses the retrieved group names and its access lists to perform group-based authorization on the authenticated user.
Grouping LDAP Users into Static Groups
When the LDAP server administrator uses static groups to group LDAP users in a user database, the administrator explicitly specifies each member of the static group individually. LDAP administrators assign users to an LDAP static group in order to set up a user's authorization privileges. A user's access to the Internet is allowed or denied based on the privileges that have been assigned to the static group (for example, "Engineering" or "Hardware Engineers").
A static group defines each member individually using the object class attribute of groupOfNames or groupOfUniqueNames. These object classes require the attribute member (groupOfNames) or uniqueMember (groupOfUniqueNames). There is a one-to-one correspondence between the object class name and the member name attribute. A static group that uses these structural object classes must have at least one member; it cannot be empty.
The Content Engine LDAP static group feature allows you to query both object classes (groupOfNames and groupOfUniqueNames) for group members.
•
ContentEngine(config)# ldap server group static member-attribute memberContentEngine(config)# ldap server group static enable•
ContentEngine(config)# ldap server group static member-attribute uniquememberContentEngine(config)# ldap server group static enable
Note
The following example shows how an LDAP server administrator can configure static groups in an LDAP database.
1.
–
–
–
–
–
–
–
The following example shows how the LDAP server administrator defines a node for the user "Jay Doe."
# Jay Doe, Engineers, cisco, comdn: cn=Jay Doe,ou=Engineering,dc=cisco,dc=comtelephoneNumber: (408) 123-8910mail: jdoe8@cisco.comuid: jdoe8givenName: Jaysn: Doecn: Jay DoeThe following example shows how the LDAP server administrator defines a node for the user "Don Smith."
# Don Smith, Engineers, cisco, comdn: cn=Don Smith,ou=Engineering,dc=cisco,dc=comtelephoneNumber: (408) 123-4567mail: dsmith7@cisco.comuid: dsmith7givenName: Donsn: Smithcn: Don Smith2.
The following example shows how the LDAP server administrator explicitly specifies that the parent group named "Engineering" has two static members (the groups named "Hardware Engineers" and "Software Developers"). The groups named "Hardware Engineers" and "Software Developers" are nested static groups; they are nested under the parent group.
dn: cn=Engineering,dc=cisco,dc=comcn: Engineeringobjectclass: groupOfNamesmember: cn:Hardware Engineers,dc=cisco,dc=commember: cn:Software Developers,dc=cisco,dc=comThe following example shows how the LDAP server administrator explicitly assigns Jay Doe and Don Smith to the static group named "Hardware Engineers." This is a one-way link between the two connected nodes because the member attribute is used. If the member of attribute were used; a two-way link would be created between the two connected nodes. Connecting nodes with a two-way link reduces the number of TCP requests that are required to search through the database for user membership information.
dn: cn=Engineers,dc=cisco,dc=comcn: Hardware Engineersobject: groupOfNamesmember: cn:Jay Doe,ou=Engineering,dc=cisco,dc=commember: cn:Don Smith,ou=Engineering,dc=cisco,dc=comBy default, static group queries and nested group queries are disabled on the Content Engine (as shown in the following excerpt of sample output from the show ldap EXEC command).
ContentEngine# show ldapLDAP Configuration:-------------------Static Groups: disabledGroup Attribute:Group Member:Nested Groups: disabledNested Level: 1However, you can use the CLI to enable and configure such queries on a standalone Content Engine, as described in these sections:
•
•
Grouping Users into Active Directory Groups
Microsoft Active Directory is a software application that runs on a Windows 2000 server. An Active Directory (AD) database is a user database that resides on a Windows 2000 server that is running the Microsoft Active Directory program.
In ACNS software, Release 5.1 or later, the LDAP client on a Content Engine provides LDAP support for Active Directory groups. Microsoft Active Directory only supports LDAP Version 3. By default, the Content Engine uses LDAP Version 2. Therefore, use the ldap server version 3 global configuration command to configure the Content Engine to use LDAP Version 3 before enabling the LDAP Active Directory feature on the Content Engine.
ContentEngine(config)# ldap server version 3To request that the LDAP server query the Active Directory group membership, enter this command:
ContentEngine(config)# ldap server group active-directory enable
Note
The following is an entry sample from a user account in an Active Directory database.
dn: CN=Penny Gold,CN=Users,DC=cisco,DC=localmemberOf: CN=Marketing,DC=cisco,DC=localThe memberOf attribute and a group name for each individual group were added to the user's account configuration. The memberOf attribute does not support the nested group structure.
About LDAP Directory Searches
The LDAP directory service is a global directory service that allows LDAP clients (Content Engines) to access information that is stored in an LDAP directory, as follows:
1.
The following example shows how to configure the Content Engine to query a standard LDAP server for user identifications (user ID and password), and to ask the LDAP server to retrieve the names of any organizational units (groups) that a user belongs to:
ContentEngine(config)# ldap server userid-attribute uidContentEngine(config)# ldap server organizationUnit enable
The Content Engine administrator configures the search criteria on the Content Engine. For more information on this topic, see the "Querying LDAP Servers for User Membership Information" section.
2.
a.
–
–
b.
–
–
Note
c.
–
–
d.
–
–
3.
–
–
Note
Querying LDAP Servers for User Membership Information
This section provides some examples of how to configure the Content Engine to perform LDAP directory queries.
•
•
•
Note
Searching for User Account Information for Individuals in an LDAP Database
The following example shows how to configure a Content Engine to search for user account information for individuals (for example, Jane Doe) in an LDAP user database:
1.
ContentEngine(config)# ldap server 172.16.1.1By default, port 389 is configured as the TCP port for the LDAP authentication server. To specify another port for the LDAP server, use the ldap server port port-num command. Valid port numbers are 1 through 65535.
2.
ContentEngine(config)# ldap server base "dc=cisco,dc=com"3.
ContentEngine(config)# ldap server enable4.
a.
ContentEngine(config)# ldap server userid-attribute uidb.
ContentEngine(config)# ldap server organizationUnit enableSearching for User Account Information for LDAP Direct Static Groups
The following example shows how to configure the Content Engine to request that the specified LDAP server perform a direct (nonnested) static group database query. This type of query enables the Content Engine to perform HTTP request authentication for users who have been assigned to a direct static group (a parent static group).
In this scenario, the LDAP database is queried for user account information for the direct static group named "Engineering."
1.
ContentEngine(config)# ldap server 172.16.1.12.
ContentEngine(config)# ldap server group static group-attribute cn3.
ContentEngine(config)# ldap server group static member-attribute member4.
ContentEngine(config)# ldap server base "dc=cisco,dc=com"5.
ContentEngine(config)# ldap server enable6.
ContentEngine(config)# ldap server group static enableSearching for User Account Information for LDAP Nested Static Groups
The following example shows how to configure the Content Engine to request that the specified LDAP server perform a nested static group database query. In this case, the LDAP directory is searched for user account information for any static groups that are nested under the parent group named "Engineering."
1.
ContentEngine(config)# ldap server 172.16.1.12.
By default, the LDAP server searches the LDAP directory one level down from the starting point of the search. In this case, the two nested static groups "Hardware Engineers" and "Software Developers" are nested two levels down from the starting point of the search (the organizational node named "cisco"). Therefore, in this example the LDAP server is instructed to search two levels down.
ContentEngine(config)# ldap server group static nested level 23.
ContentEngine(config)# ldap server group static group-attribute cn4.
ContentEngine(config)# ldap server group static member-attribute member5.
ContentEngine(config)# ldap server base "dc=cisco,dc=com"6.
ContentEngine(config)# ldap server enable7.
ContentEngine(config)# ldap server group static nested enableConfiguring NTLM Authentication of HTTP Requests
Windows NT LAN Manager (NTLM) is the authentication protocol that is used by Microsoft's browsers (Internet Explorer), proxies, and web servers (IIS). The NTLM protocol, which is a challenge-response-based protocol can be used to authenticate and block user access to the Internet. The main advantage of using NTLM for HTTP request authentication is that NTLM sends the password in an encrypted format to the server that originated the authentication challenge.
Typically, enterprises are already using NTLM to enforce access control to information that is stored on their intranet sites. Additionally, enterprises want to protect Internet browsing but not have to prompt their end users for usenames and passwords. NTLM provides this authentication scheme through Microsoft Internet Explorer and domain controllers (DCs). Content Engines support NTLM HTTP request authentication in order to support both of these models. A client (web browser) attempts to perform NTLM HTTP request authentication with the Content Engine in order to be allowed to use the Content Engine (the HTTP proxy server) to access the requested content.
When a user logs in to a Windows NT or a Windows 2000 domain and starts a browser, the authentication information is stored by the browser and later used as NTLM credentials to access the Internet. The browser sends the NTLM credentials with the domain name to the Content Engine, which in turns sends a request to the Windows NT domain controller to check the validity of the user in the domain. If the user is not a valid user in the domain, then the request to access the Internet is denied. If authentication succeeds, the source IP address is entered in the Content Engine authentication cache. Future requests from this IP address are not challenged until the authentication cache entry expires or is cleared.
In ACNS 5.2 software, the following enhancements for NTLM HTTP request authentication were added:
•
•
Note
•
•
•
ContentEngine(config)# ntlm server ?ad-group-search Active Directory group search optionsconnection-retry Maximum attempts to connect to serverconnection-timeout Time to wait connecting to server (seconddomain Specify Domain nameenable Enable NTLM Authenticationhost Host optionsscheme Scheme to use for the host listContentEngine(config)# ntlm server ad-group-search gc-server ?host Specify global catalog server addressport Specify global catalog server port, default 3268scheme Scheme to use for the host list•
•
•
Note
•
You can use the transaction-logs log-window-domain global configuration command to configure the Content Engine to send the username and domain name to the transaction log. The Windows domain name that is used for NTLM authentication appears in the usename field of the transaction log. The username appears in the format "domain\username" in those formats that contain usernames that are in Extended Squid-style or custom format using the %u format token.
For clients within the domain using the Internet Explorer browser in proxy mode, authentication is "popless"; this is, the user is not prompted with a dialog box to enter a username and password. In transparent mode, authentication is transparent only if the Internet options security settings are customized and set to User Authentication > Logon > Automatic logon with current username and password.
For clients outside the domain using the Netscape 7.1 or earlier browser, a dialog box appears and the first authentication request asks the client to enter a username and password. Once the client is successfully authenticated, the entry is placed in the cache, and no reauthentication requests are made to the client until the authentication cache entry expires.
About NTLM Load Balancing for HTTP Request Authentication
In ACNS software, Release 4.x to Release 5.1, you needed to configure one primary domain controller for HTTP request authentication and a secondary domain controller for failover. However, in large-scale networks, if all the traffic passes through the Content Engine, even though the Content Engine authentication cache can help reduce the load on the domain controller, it may still be impractical to have a single domain controller handle authentication queries from all of the end users.
To address this concern, load balancing between domain controllers was added in ACNS 5.2 software. With ACNS 5.2 software, the ability to configure up to eight servers (domain controllers) for load-balancing and failover purposes was added. The order of server configuration determines the order of load balancing or failover.
When load balancing is selected as the scheme, the requests are round-robined between the domain controllers. For example, if you have n servers (domain controllers), the first request goes to Server 1, the second request is sent to Server 2, the nth request is sent to Server n, and the (n+1)th request is sent to Server 1. If Server 1 fails, the Content Engine attempts to send the request to the next configured server that is alive (in this case, Server 2). However, failover to the next alive server occurs only once. For example, if Server 2 goes down when handling request 1, then request 1 does not fail over again.
If load balancing is enabled and the server information is changed during run time, the change is picked up at run-time without disrupting the service. The configuration of each configured NTLM or Global Catalog server is available through the show ntlm EXEC command. Statistics about the total number of requests going through the servers is collected and available through the show statistics ntlm EXEC command. Statistics about requests going through each domain controller are also collected and available through the show statistics ntlm EXEC command.
Note
Configuring the Content Engine to Use NTLM Servers for HTTP Request Authentication
You can use the Content Engine GUI or the CLI to configure a standalone Content Engine to use external NTLM servers for HTTP request authentication.
In ACNS software, Release 5.1.x or earlier, you explicitly designated a primary NTLM server and a secondary NTLM server by using the primary and secondary options of the ntlm server host global configuration command, as shown below:
ContentEngine(config)# ntlm server host 172.16.10.10 primaryContentEngine(config)# ntlm server host 172.16.10.12 secondaryIn ACNS software, Release 5.2 and later, you can configure a Content Engine to use up to eight NTLM servers for HTTP request authentication. The order of the server configuration determines the order of load balancing or failover. For example, if the failover is enabled then the first server configured (Server 1 that has an IP address of 172.16.10.10) is the "primary" server and is sent all of the requests first. The last server configured (Server 3 that has the IP address of 172.16.10.14) is the last server that the Content Engine contacts. If the load balancing is enabled, only the first request is sent to the first configured server (Server 1), after which round-robin is used among the remaining servers (for example, the second request is sent to Server 2, and the third request is sent to Server 3).
ContentEngine(config)# ntlm server host 172.16.10.10ContentEngine(config)# ntlm server host 172.16.10.12ContentEngine(config)# ntlm server host 172.16.10.14
Note
You can use the Content Engine GUI or the CLI to configure the Content Engine to use up to eight NTLM servers for HTTP request authentication.
From the Content Engine GUI, choose Caching > NTLM to access the NTLM window. Use the NTLM window to specify NTLM server settings on the Content Engine, and click Update. For more information about the fields on the NTLM window, click the HELP button in the window.
From the Content Engine CLI, use the ntlm server global configuration command.
The following example describes how to use the Content Engine CLI to configure a standalone Content Engine to use the maximum number of servers (eight NTLM servers) to load balance HTTP authentication requests.
Step 1
In the following example, the Content Engine is configured to use a host list that consists of eight NTLM servers.
ContentEngine(config)# ntlm server host 172.16.10.10ContentEngine(config)# ntlm server host 172.16.10.12ContentEngine(config)# ntlm server host 172.16.10.14ContentEngine(config)# ntlm server host 172.16.10.16ContentEngine(config)# ntlm server host 172.16.10.18ContentEngine(config)# ntlm server host 172.16.10.20ContentEngine(config)# ntlm server host 172.16.10.22ContentEngine(config)# ntlm server host 172.16.10.24Step 2
The default is two attempts. Valid values are from one to three attempts. After the specified number of attempts is exceeded, the Content Engine stops attempting to connect to the NTLM server and attempts to connect to the next configured server on the host list. In the following example, this value is set to 3.
ContentEngine(config)# ntlm server connection-retry 3Step 3
This is the timeout for one connection attempt. If the specified amount of time is exceeded, the Content Engine gives up the connection and attempts to connect to the same server up to the specified number of times (the number of retries specified with the ntlm server connection-retry global configuration command) before the Content Engine attempts to connect to the next server. The default is 5 seconds. Valid values are from 1 to 20 seconds.
In the following example, this timeout is set to 10 seconds.
ContentEngine(config)# ntlm server connection-timeout 10Step 4
ContentEngine(config)# ntlm server scheme ?fail-over Fail-over between hostsload-balanced Round-robin load balancing between hostsBy default, the configured servers are used for failover. In the following example, this default is changed, and the Content Engine is configured to use the configured servers for load balancing. When load balancing is enabled, only the first request is sent to the first configured server, after which round-robin is used among the remaining configured servers. (In contrast, when failover is enabled, the Content Engine sends all the requests to the first configured server.)
ContentEngine(config)# ntlm server scheme load-balancedStep 5
ContentEngine(config)# ntlm server enableStep 6
Step 7
For an example of the show ntlm EXEC command output, see the "Displaying the Current NTLM Configuration for Standalone Content Engines" section.
Configuring a List of Allowed Domains List NTLM HTTP Request Authentication
In ACNS 5.1.x software, you were required to specify the name of the Windows NT domain that the end user was to be authenticated against. This was referred to as the default NTLM domain name. For example, the following command specified that the user needed to be authenticated against the domain named "cisco.com" in order to be authenticated.
ContentEngine(config)# ntlm server domain-name cisco.comIn ACNS software, Release 5.2 or later, you are not required to specify a name for the default domain. If the client does not supply a domain name in the request authentication credential and there is no default domain configured on the Content Engine (that is, the ntlm server domain global configuration command was not used), then an authentication error message is returned to the client. A predetermined error page that contains text indicating the reason for the error is sent to the client.
In ACNS 5.2 software, you can specify a list of domains that are allowed to perform NTLM HTTP request authentication with the Content Engine. This capability allows you to limit the domains that can perform NTLM HTTP request authentication with the Content Engine; thereby providing additional security. This feature is called the "allowed domain feature." If this feature is enabled on the Content Engine and the supplied domain credential does not match any the of domains in the allowed domain list, then HTTP request authentication fails and the client is sent an error message.
To support the allowed domain feature, the following Content Engine CLI commands were added in ACNS 5.2 software:
•
•
•
If the allowed domain list feature is enabled, then this feature works as follows:
•
•
Configuring the Authentication Method Control for NTLM HTTP Request Authentication
By default, the Content Engine (the HTTP proxy server) always sends a basic authentication response header along with an NTLM authentication header to the client browser. This default behavior enables the client to be authenticated with the Content Engine even if the client browser does not support the NTLM protocol, as is the case with the Netscape browser. (Internet Explorer supports the NTLM protocol.)
Because basic authentication transmits user credential information in clear text format, it is less secure than NTLM authentication. Consequently, for security purposes you may want to configure the Content Engine to not send a basic authentication response header along with an NTLM authentication header.
In ACNS 5.2 software, the ability to configure the authentication method control for NTLM HTTP request authentication was added. The authentication method control feature allows you to enable or disable the Content Engine from sending a basic authentication response header along with an NTLM authentication header. To support this feature, the following Content Engine CLI commands were added:
•
•
If you do not want the client browser to be able to use the basic authentication method between the client and the Content Engine for NTLM HTTP request authentication because it is a less secure method than NTLM, then disable the NTLM basic authentication feature on a standalone Content Engine.
To disable the NTLM basic authentication feature on a standalone Content Engine, enter the no ntlm basic-auth enable global configuration command.
If the Content Engine is configured to not send the basic authentication header to the client and the client does not support NTLM authentication (for example, Netscape browsers only support basic authentication), then the client cannot continue with this HTTP request. The client browser behavior is browser-dependent; for example, some browsers may retry the request over a certain period of time.
Displaying the Current NTLM Configuration for Standalone Content Engines
To display information about each NTLM server and each Global Catalog server that the Content Engine is configured to use, enter the show ntlm EXEC command. See the sample output below.
ContentEngine# show ntlmNTLM parameters:NTLM Hosts:172.16.10.10172.16.10.12172.16.10.14172.16.10.16172.16.10.18172.16.10.20172.16.10.22172.16.10.24scheme: Load-balancedState: EnabledBasic Auth: EnabledDefault domain: cnbu1.localConnection Timeout: 10Connection Retries: 3Allow Domains: DisabledAllow Domains List:NoneAD group search is enabledEnumeration User:Username: administratorPassword: ****Domain: abc1.localLDAP Port:389Global Catalog Servers:172.16.10.32 , Domain: abc1.local172.16.10.38 , Domain: abc2.localScheme: Load-balancedPort: 3268User objectclass: userUsername attribute: sAMAccountNameGroupname attribute: cnMembership attribute: memberOfDisplaying the NTLM Statistics for Standalone Content Engines
To display NTLM statistics such as the number of requests that were authenticated or denied, and a breakdown of statistics for each configured NTLM server and Global Catalog server, use the show statistics ntlm EXEC command.
Configuring Group-Based Authorization for Standalone Content Engines
For request authorization, ACNS 5.x software supports group-based access lists for LDAP and NTLM users. In ACNS software releases prior to 5.1, group name-based access control lists were supported but not static groups. This group name-based access lists feature is called group-based authorization. By default, the access lists feature is disabled on a Content Engine. Group information will be checked and applied only if the access lists feature is enabled on the Content Engine.
Note
In Windows NT and Windows 2000 domains, administrators can use the Windows group feature to create groups in order to organize security principles, including user and other resources. An Active Directory (AD) database is a user database of a Windows 2000 server. This database can be queried for authentication purposes when LDAP or NTLM is used.
Configuring Access Lists on Standalone Content Engines
To configure a standalone Content Engine to use access lists for group-based authorization, follow these steps:
Step 1
The following example shows how to use access lists to permit access to groups within the base string cisco based on organizational units such as Marketing or Engineering using the access-lists 300 permit groupname global configuration command. Group access is allowed for any user in the Marketing and Engineering groups. A user who does not belong to any of these groups is denied access with the access-lists 300 deny groupname any global configuration command.
ContentEngine(config)# access-lists 300 permit groupname MarketingContentEngine(config)# access-lists 300 permit groupname EngineeringContentEngine(config)# access-lists 300 deny groupname anyFor Windows-based user groups, you must append the domain name in front of the group name in the form domain\group.
•
•
Note
Step 2
ContentEngine(config)# access-lists enable
Note
Example of Configuring LDAP Group Authorization with Access Lists
In ACNS releases prior to 5.1, group name-based access lists were supported but not static groups. To ensure interoperability of the Content Engine group authentication support with the Microsoft Active Directory database, the ACNS software, Release 5.1 or later supports LDAP group-based authorization for static groups.
In this scenario, group access to the Internet is allowed to the following users:
•
•
Note
This scenario assumes that the LDAP administrator has defined the group named "Engineering" as the parent of the "Hardware Engineers" and "Software Developers" groups in the LDAP directory, as follows:dn: cn=Engineering,dc=cisco,dc=comcn: Engineeringobjectclass: groupOfNamesmember: cn:Hardware Engineers,dc=cisco,dc=commember: cn:Software Developers,dc=cisco,dc=comdn: cd=Hardware Engineers,dc=cisco,dc=comcn: Hardware Engineersobject: groupOfNamesmember: cn=Jay Doe,ou=Engineering,dc=cisco,dc=commember: cn=Don Smith,ou=Engineering,dc=cisco,dc=comdn: cn=Software Developers,cd=cisco,cd=comcn: Software Developersobjectclass: groupOfNamesmember: cn=John Gold,ou=Engineering,dc=cisco,dc=commember: cn=John Smith,ou=Engineering,dc=cisco,dc=comTo configure a standalone Content Engine for LDAP group-based authorization, follow these steps:
Step 1
In the following example, the IP address of the LDAP server is used.
ContentEngine(config)# ldap server host 10.1.1.1Step 2
In this example, the strings "cisco" and "com" are used for the directory search.
ContentEngine(config)# ldap server base "dc=cisco,dc=com"Step 3
ContentEngine(config)# ldap server enableStep 4
In this example, the access-lists 300 permit groupname command is used to grant group access to any user who is not a member of the nested static group named "Hardware Engineering."
ContentEngine(config)# access-lists 300 deny groupname Hardware EngineeringContentEngine(config)# access-lists 300 permit groupname anyStep 5
ContentEngine(config)# access-lists enable
Example of Configuring NTLM Group Authorization with Access Lists
The following example shows how to use the Content Engine CLI to configure NTLM group authorization with access lists, In this example, NTLM group access is granted to the Engineering and Marketing groups in the company named "cisco."
To configure a standalone NTLM group authorization with access lists on a standalone Content Engine, follow these steps:
Step 1
In ACNS software, Release 5.2 or later, you can configure up to eight NTLM servers for HTTP request authentication.
In the following example, three NTLM servers are configured.
ContentEngine(config)# ntlm server host 172.16.10.10ContentEngine(config)# ntlm server host 172.16.10.12ContentEngine(config)# ntlm server host 172.16.10.14The order of server configuration determines the order of load balancing or failover. If failover is enabled, the Content Engine sends all of its requests to the first configured server (Server 1, which has in IP address of 172.16.101.0). In contrast, if load balancing is enabled, only the first request is sent to Server 1, after which round-robin is used (for example, the second request is sent to Server 2 [the server with the IP address 172.16.10.12], and the third request is sent to Server 3 [the server with IP address 172.16.10.14]).
Step 2
ContentEngine(config)# ntlm server scheme load-balancedStep 3
ContentEngine(config)# ntlm server domain cisco.comIn ACNS 5.1.x software, you were required to specify a default domain. In ACNS software, Release 5.2 or later), you are not required to specify a default domain. If the client does not supply a domain name in the request authentication credential and there is no default domain configured on the Content Engine (the ntlm server domain global configuration command was not used), then an authentication error message is returned to the client. A predetermined error page that contains text indicating the reason for the error is sent to the client.
In ACNS 5.2 software, you can also specify a list of domains that are allowed to perform NTLM HTTP request authentication with the Content Engine. For more information, see the "Configuring a List of Allowed Domains List NTLM HTTP Request Authentication" section.
Step 4
ContentEngine(config)# ntlm server enableStep 5
In this example, group access is granted to any user in the Marketing and Engineering groups. A user who does not belong to either of these groups is denied access with the access-lists 300 deny groupname any global configuration command.
ContentEngine(config)# access-lists 300 permit groupname MY_DOMAIN\MarketingContentEngine(config)# access-lists 300 permit groupname MY_DOMAIN\EngineeringContentEngine(config)# access-lists 300 deny groupname anyStep 6
ContentEngine(config)# access-lists enable
Configuring Content Engines for Active Directory Group Searches
In ACNS software releases prior to 5.1, the Content Engine only supported local groups within a global group for NTLM group-based authorization. To ensure interoperability of the Content Engine NTLM group authentication support with the Microsoft Active Directory database, the ACNS software, Release 5.1 or later supports static groups.
ACNS software, Release 5.1 or later can retrieve nested group names using an LDAP recursive search and apply all the access lists configured for the nested groups. When you use nested groups with Active Directory servers, the policies configured for parent groups are automatically applied to members in subgroups.
Note
To perform a recursive query, an enumeration user's credentials must be provided to query the primary domain controller for a complete list of group names. An enumeration user is an account defined on the Content Engine to allow the Content Engine to perform a search on an Active Directory server. This enumeration user needs to have read privileges throughout the whole directory.
In ACNS 5.1 software, group name-based access lists were the only feature that would trigger an Active Directory group search. In ACNS 5.2 software, the following additional features can trigger an Active Directory group search:
•
•
•
In ACNS 5.1.x software, you explicitly designated a primary and a secondary Global Catalog server for Active Directory group searches. When the primary Global Catalog server was not reachable, the Content Engine attempted to contact the secondary Global Catalog server.
In ACNS 5.1.x software, you explicitly designated a primary and secondary server for an Active Directory group search and to obtain group information. (You used the ntlm server ad-group-search ldap-search-server host global configuration command with the primary and secondary keywords to explicitly designate a primary and a secondary server.) See below.
ContentEngine(config)# ntlm server host 172.16.10.10 primaryContentEngine(config)# ntlm server host 172.16.10.12 secondaryHowever, in the case of Active Directory, because the domain controller supports both NTLM and LDAP, it is not necessary to configure the primary and secondary server for an Active Directory group search. In ACNS 5.1.x software, the following two Content Engine CLI commands performed the same task (that is, they were configuring the same Active Directory domain controller):
ntlm server host
ntlm server ad-group-search ldap-search-server host
Consequently, the ntlm server ad-group-search ldap-search-server host global configuration command was removed in ACNS 5.2 software. Backward compatibility is supported. Configurations performed with ACNS 5.1.x software that have this removed Content Engine CLI command are silently accepted but ignored in the back end.
In ACNS 5.2 software, the Active Directory domain controllers (hosts) that are configured using the ntlm server host global configuration command are used for both authentication and authorization if Active Directory nested group search is enabled.
In ACNS 5.2 software, the ability to configure up to eight Global Catalog servers for Active Directory searches was added. Consequently, the ntlm server ad-group-search gc-server host primary option and the ntlm server ad-group-search gc-server host secondary options were removed. The order of server configuration determines the order of load balancing or failover. If failover is enabled, then the Content Engine sends all of its Active Directory search requests to the first configured Global Catalog server (Server 1). In contrast, if load balancing is enabled, only the first request is sent to Server 1, after which round-robin is used (for example, the second request is sent to Server 2, and the third request is sent to Server 3).
To configure the settings for the Global Catalog servers that you want the Content Engine to use for Active Directory group searches, use the ntlm server ad-group-search gc-server global configuration command. For example, use the ntlm server ad-group-search gc-server host host-IP-address or hostname command to specify the IP address or host name of the Global Catalog server that the Content Engine is to use for Active Directory group searches.
Use the ntlm server ad-group-search gc-server host domain domain-name global configuration command to specify the host domain name (for example, "abc1.local") for the configured Global Catalog server. In the following example, the Content Engine is configured to use the Global Catalog server that has the host domain name of "abc1.local."
ContentEngine(config)# ntlm server ad-group-search gc-server host 10.77.157.213 domain abc1.localIn ACNS 5.2 software, the ldap-search-port option was added to the ntlm server ad-group-search global configuration command. (See the following example.) Use the ldap-search-port option to specify the LDAP port for group information retrieval. The default is port 389. This option configures the LDAP search server port for all of the configured Active Directory domain controllers.
ContentEngine(config)# ntlm server ad-group-search ?enable Enable Active Directory group searchenum-user Configure enumeration user parametersgc-server Configure global catalog server parametersgroupname-attribute groupname attribute in Active Directory, default is cnldap-search-port Specify LDAP search server port, default 389membership-attribute membership attribute in Active Directory, default ismemberOfuser-objectclass objectclass for user object, default is userusername-attribute username attribute in Active Directory, default issAMAccountName
Note
In ACNS 5.2 software, the scheme option was also added to ntlm server ad-group-search gc-server global configuration command to let you specify whether the configured Global Catalog servers are to be used for load balancing or failover.
ContentEngine(config)# ntlm server ad-group-search gc-server ?host Specify global catalog server addressport Specify global catalog server port, default 3268scheme Scheme to use for the host listExamples of Configuring Content Engines to Support Active Directory Group Searches
The following example shows how to use the ntlm server ad-group-search global configuration command to configure the Content Engine to support Active Directory group searches. In this example, the Content Engine is configured to use the Global Catalog server that has the IP address 10.77.157.213 for the Active Directory group search. The host domain name for this Global Catalog server is "abc1.local." Load balancing is specified as the scheme (the default scheme is failover). Port 111 is specified as the LDAP port for group information retrieval. After you configure the Active Directory group search parameters, you use the ntlm server ad-group-search enable global configuration command to enable the Active Directory group search feature on a standalone Content Engine.
ContentEngine(config)# ntlm server ad-group-search enum-user username administratorContentEngine(config)# ntlm server ad-group-search enum-user password ***ContentEngine(config)# ntlm server ad-group-search enum-user domain abc1.localContentEngine(config)# ntlm server ad-group-search gc-server host 10.77.157.213 domain abc1.localContentEngine(config)# ntlm server ad-group-search gc-server host 10.77.157.214 domain abc1.localContentEngine(config)# ntlm server ad-group-search gc-server scheme load-balancedContentEngine(config)# ntlm server ad-group-search ldap-search-port 111ContentEngine(config)# ntlm server ad-group-search enableWhen you enable Active Directory search groups, the access list must be configured with the correct domain name. The group name should look like this:
DNS domain name\group name
The following example uses access lists to enable Active Directory search groups:
ContentEngine(config)# access-lists 300 permit groupname mydomain.local\univ11_secContentEngine(config)# access-lists 300 deny groupname anyContentEngine(config)# access-lists enableThe LDAP queries are sent to the same Active Directory server that is assigned to perform authentication unless the LDAP query fails. If the LDAP query fails, the authorization request fails over to the next configured server. If the NTLM service or the LDAP service on the Active Directory server is not accessible, the Content Engine considers the Active Directory server nonfunctional.
Disabling Group Name-Based Access Lists
You can disable the group name-based access list feature on a Content Engine without losing any of the configured access lists, as follows:
•
•
Configuring the LDAP Acceptable Use Policy Feature
ACNS software, Release 5.1 and later, supports the LDAP acceptable use policy feature. When a user opens a browser session, the Content Engine queries a specific LDAP attribute to determine whether the user has viewed and accepted the acceptable use policy (AUP). If a user has not accepted this policy, then the Content Engine redirects the user to an internal web page with the AUP, which the user must read and accept before being allowed to browse content through the Content Engine. Once the user accepts the policy, the Content Engine sets an LDAP attribute that allows the user full access to browse through the proxy server (the Content Engine).
This LDAP attribute is configurable and is an integer stored in the user's database that represents the version of the policy that the user has accepted. This value is compared against the current version set in the Content Engine. If these values are equal, the user is given access to browse; otherwise, the user is redirected to the configured URL that sends the user to the internal web page that allows the user to read and accept the AUP.
Use the ldap server policy-redirect enable global configuration command to enable the AUP. Use the ldap server policy-redirect redirect-url url global configuration command to specify the URL to which the user is redirected to view and accept the policy. Use the ldap server policy-redirect attribute attribute to define the LDAP attribute that is to be queried for the version that the user has accepted.
To configure the AUP on a standalone Content Engine, follow these steps:
Step 1
ContentEngine(config)# ldap server policy-redirect enableStep 2
ContentEngine(config)# ldap server policy-redirect redirect-url urlStep 3
ContentEngine(config)# ldap server policy-redirect attribute aup-attributeStep 4
ContentEngine(config)# ldap server policy-redirect value latest-policy-version
Configuring the LDAP Password Expiration Feature
The LDAP password feature allows you to configure the Content Engine to redirect users to a web page, which will prompt them for a username and password. To configure the LDAP authorization password expiration feature, use the ldap server password-expiry global configuration command.
Configuring End-to-End Authentication for HTTP Requests
End-to-end authentication is authentication that occurs between the client and the origin server. The HTTP protocol has three ways to authenticate a web client that has issued an HTTP request:
•
•
•
Note
ACNS software, Release 5.2 or later supports all three modes of client authentication (basic, NTLM, and Active Directory/Kerberos) for pass-through authentication. (See the "Authenticating Web Clients Through Pass-Through Authentication" section.)
End-to-end NTLM authentication using the NTLM method includes pass-through servicing and the caching of web objects that require NTLM authentication.
Basic End-to-End Authentication
ACNS software can strip NTLM authentication headers to allow fallback to a basic-style authentication challenge against Microsoft IIS servers. Basic authentication is designed to allow browsers to authenticate entered user IDs against a Microsoft IIS web server that issues an NTLM-based challenge.
NTLM is proprietary and undocumented. Removing the NTLM headers allows the browser to fall back to the basic authentication method. If the Microsoft IIS server is configured to still accept basic authentication, IIS authentication credentials can proceed through a Content Engine, but with reduced security. Basic authentication is less secure than NTLM authentication because it transmits the user credential information in clear text format.
To configure a standalone Content Engine to strip NTLM headers, issue the http authenticate-strip-ntlm global configuration command.
Basic end-to-end authentication support also includes the ability to configure the Content Engine to cache web objects that are authenticated with the basic authentication method. By default, the Content Engine does not cache such objects. However, you can configure the Content Engine to cache objects that are authenticated with the basic authentication method by issuing the http cache-authenticated basic global configuration command.
NTLM End-to-End Authentication
The two levels of NTLM end-to-end support can be summarized as follows:
•
The Content Engine sets up a secure persistent connection between the client and the server. NTLM authentication messages pass through this virtual persistent connection. The Content Engine does not cache any object transferred on the virtual connection. All the client requests are served by the origin server.
•
The Content Engine can be configured to cache objects that require NTLM authentication. The server puts a "no-store" flag on a reply object to prevent the reply from being cached. If no such flag is present, the object is cacheable. When the Content Engine receives a content request from a client already connected with the intended NTLM server, the Content Engine searches the cache.
–
–
In the following example, the Content Engine is configured for end-to-end NTLM authentication. By default, basic and NTLM authenticated objects are not cached.
ContentEngine(config)# no http authenticate-strip-ntlmContentEngine(config)# http cache-authenticated ntlmContentEngine# show http cache-authenticated ntlmNTLM authenticated objects are cached.Configuring Pass-Through Authentication for WMT Requests
End-to-end authentication is authentication that occurs between the client and the origin server. Pass-through authentication is how the Content Engine handles end-to-end authentication. With pass-through authentication, the Content Engine passes through the authentication request and response between the client and the origin server without examining such requests and responses
In ACNS 5.2 software, pass-through authentication support for WMT requests was added. Note that with this support, the Content Engine establishes a virtual connection between the client and the origin server in order for the origin server to authenticate the client. The Content Engine does a "pass through" and does not function as the proxy authentication server. Consequently, proxy server authentication is not supported for WMT requests.
Note
Pass-through authentication for WMT live streams is supported with the following exceptions and requirements:
•
•
Note
In proxy mode, the Windows Media 9 server supports two authentication mechanisms for pass-through authentication of WMT requests:
•
•
–
–
