Use Active Directory or LDAP Optional Settings

When Fireware XTM contacts the directory server (Active Directory or LDAP) to search for information, it can get additional information from the list of attributes in the search response returned by the server. This enables you to use the directory server to assign extra parameters to the authenticated user session, such as timeouts and Mobile VPN address assignments. Because the data comes from LDAP attributes associated with individual user objects, you can set these parameters for each individual user and you are not limited to the global settings in Fireware XTM Web UI.

Before You Begin

To use these optional settings you must:

Make sure you carefully plan and test your directory schema before you extend it to your directories. Additions to the Active Directory schema, for example, are generally permanent and cannot be undone. Use the Microsoft® web site to get resources to plan, test, and implement changes to an Active Directory schema. Consult the documentation from your LDAP vendor before you extend the schema for other directories.

Specify Active Directory or LDAP Optional Settings 

You can use Fireware XTM Web UI to specify the additional attributes Fireware XTM looks for in the search response from the directory server.

  1. Select Authentication > Servers.
    The Authentication Servers page appears.

screenshot of the Authentication Servers dialog box, with the Firebox tab selected

  1. From the Authentication Servers list, select LDAP or Active Directory and make sure the server is enabled.

screenshot of the Authentication Servers dialog box, with the LDAP tab selected

  1. In the Optional Settings section, type the attributes to include in the directory search in the string fields.

IP Attribute String

This setting applies only to Mobile VPN clients.

Type the name of the attribute for Fireware XTM to use to assign a virtual IP address to the Mobile VPN client. This must be a single-valued attribute and an IP address in decimal format. The IP address must be within the pool of virtual IP addresses you specify when you create the Mobile VPN Group.

If the XTM device does not see the IP attribute in the search response or if you do not specify an attribute in Fireware XTM Web UI, it assigns the Mobile VPN client a virtual IP address from the virtual IP address pool you create when you make the Mobile VPN Group.

Netmask Attribute String

This setting applies only to Mobile VPN clients.

Type the name of the attribute for Fireware XTM to use to assign a subnet mask to the Mobile VPN client’s virtual IP address. This must be a single-valued attribute and a subnet mask in decimal format.

The Mobile VPN software automatically assigns a netmask if the XTM device does not see the netmask attribute in the search response or if you do not specify one in Fireware XTM Web UI.

DNS Attribute String

This setting applies only to Mobile VPN clients.

Type the name of the attribute Fireware XTM uses to assign the Mobile VPN client one or more DNS addresses for the duration of the Mobile VPN session. This can be a multi-valued attribute and must be a normal dotted-decimal IP address. If the XTM device does not see the DNS attribute in the search response, or if you do not specify an attribute in Fireware XTM Web UI, it uses the WINS addresses you enter when you Configure WINS and DNS Servers.

WINS Attribute String

This setting applies only to Mobile VPN clients.

Type the name of the attribute Fireware XTM should use to assign the Mobile VPN client one or more WINS addresses for the duration of the Mobile VPN session. This can be a multi-valued attribute and must be a normal dotted-decimal IP address. If the XTM device does not see the WINS attribute in the search response or if you do not specify an attribute in Fireware XTM Web UI, it uses the WINS addresses you enter when you Configure WINS and DNS Servers.

Lease Time Attribute String

This setting applies to Mobile VPN clients and to clients that use Firewall Authentication.

Type the name of the attribute for Fireware XTM to use to control the maximum duration a user can stay authenticated (session timeout). After this amount of time, the user is removed from the list of authenticated users. This must be a single-valued attribute. Fireware XTM interprets the attribute’s value as a decimal number of seconds. It interprets a zero value as never time out.

Idle Timeout Attribute String

This setting applies to Mobile VPN clients and to clients that use Firewall Authentication.

Type the name of the attribute Fireware XTM uses to control the amount of time a user can stay authenticated when no traffic is passed to the XTM device from the user (idle timeout). If no traffic passes to the device for this amount of time, the user is removed from the list of authenticated users. This must be a single-valued attribute. Fireware XTM interprets the attribute’s value as a decimal number of seconds. It interprets a zero value as never time out.

  1. Click Save.
    The attribute settings are saved.

See Also

Configure Active Directory Authentication

Configure LDAP Authentication

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base