Configuring Active Directory authentication

You can add existing Active Directory users to the firewall. To do this, you add an AD server, import groups, and set the primary authentication method.

Objectives

When you complete this unit, you’ll know how to do the following:
  • Add and configure an Active Directory server on the firewall.
  • Import AD groups using the Import group wizard.
  • Set the primary authentication method so that the firewall queries the AD server first.

Add an Active Directory server

First, you add an Active Directory server that includes a search query.

You’ll need the following information to complete this task:
  • Domain name
  • NetBIOS domain
  • Active Directory server password

Check the properties of the Active Directory server. For example, on Microsoft Windows, go to Windows Administrative Tools.

Search queries are based on the domain name (DN). In this example, the domain name is sophos.com, so the search query is: dc=sophos,dc=com.

  1. Go to Authentication > Servers and click Add.
  2. Specify settings.
    Note For settings not listed here, use the default value.
    Use the password configured on the Active Directory server.
    OptionDescription
    Server type Active directory
    Server name My_AD_Server
    Server IP/domain 192.168.1.100
    NetBIOS domain sophos
    ADS username administrator
    Password <AD server password>
    Domain name sophos.com
    Search queries dc=sophos,dc=com
  3. Click Test connection to validate the user credentials and check the connection to the server.
    Note When both synchronized user ID and STAS are configured, the authentication server uses the mechanism from which it receives the sign-in request first.
  4. Click Save.

Import Active Directory groups

Import Active Directory groups into the firewall and specify policies for them.

  1. Go to Authentication > Servers and click .
  2. In the Import group wizard, click Start.
  3. Select the base DN for groups.
  4. Select the AD groups to import.
  5. Select common policies for groups.
  6. Review selection.
  7. View results.
  8. Go to Authentication > Groups and verify the recently imported groups.

Set primary authentication method

To query the Active Directory server first, you set it as the primary authentication method. When users sign in to the firewall for the first time, they are automatically added as a member of the default group specified.

  1. Go to Authentication > Services.
  2. In the authentication server list, select My_AD_Server.
  3. Move the server to the first position in the list of selected servers.
  4. Click Apply.

Go to Authentication > Groups and verify the imported groups.