WatchGuard Support Center

Knowledge Base - Article

000013125
 Configure Active Directory Authentication in Fireware v12.2.1 or lower

Information
How do I configure Active Directory authentication in Fireware v12.2.1 or lower?

In Fireware v12.3, the steps to configure Active Directory authentication on the Firebox changed. If your Firebox has Fireware v12.2.1 or lower, use the information in this article to configure Active Directory settings on your Firebox.

If your Firebox has Fireware v12.3 or higher, see Configure Active Directory Authentication in Fireware Help.

To add an Active Directory domain and server, from Fireware Web UI:

  1. Select Authentication > Servers > Active Directory.
    The Authentication Servers page appears.
  2. From the Server list, select Active Directory.
    The Active Directory server settings appear.
    User-added image
  3. Click Add
    The Add page appears.
    User-added image
  4. In the Domain Name text box, type the domain name to use for this Active Directory server.
    The domain name must include a domain suffix. For example, type example.com, not example.
  5. From the Primary drop-down list, select IP Address or DNS Name.
  6. In the text box, type the IP address or DNS name of this Active Directory server.
  7. In the Port text box, type the TCP port number for the device to use to connect to the Active Directory server.
    The default port number is 389. If you enable LDAPS, you must select port 636. If your Active Directory server is a global catalog server, it can be useful to change the default port. For more information, see Change the Default Port for the Active Directory Server in Fireware Help.
  8. To add another Active Directory server to this domain:
    1. From the Secondary (Optional) drop-down list, select IP Address or DNS Name.
    2. In the text box, type the IP address or DNS name of the secondary Active Directory server. 
    3. In the Port text box, specify the TCP port number for the device to use to connect to the Active Directory server.
      For more information, see Use a Backup Authentication Server in Fireware Help.
  9. In the Timeout text box, type or select the number of seconds the device waits for a response from the Active Directory server before it closes the connection and tries to connect again.
  10. In the Dead Time text box, type a time after which an inactive server is marked as active again.
  11. From the Dead Time drop-down list, select Minutes or Hours to set the duration.
    After an authentication server has not responded for a period of time, it is marked as inactive. Additional authentication attempts do not try this server until it is marked as active again.
  12. In the Search Base text box, type the location in the directory to begin the search.
    The standard format for the search base setting is: ou=name of organizational unit;dc=first part of the distinguished server name;dc=any part of the distinguished server name that appears after the dot. For more information about how to use a search base to limit the directories on the authentication server where the device can search for an authentication match, see Find Your Active Directory Search Base in Fireware Help.
  13. In the Group String text box, type the attribute string that is used to hold user security group information on the Active Directory server.
    If you have not changed your Active Directory schema, the security group string is always memberOf.
  14. From the Login Attribute drop-down list, select an Active Directory login attribute to use for authentication.
    The login attribute is the name used for the bind to the Active Directory database. The default login attribute is sAMAccountName. If you use sAMAccountName, you do not have to specify a value for the DN of Searching User and Password of Searching User settings.
  15. In the DN of Searching User text box, type the distinguished name (DN) for a search operation.
    If you keep the login attribute of sAMAccountName, you do not have to type anything in this text box. If you change the login attribute, you must add a value in the DN of Searching User text box. You can use any user DN with the privilege to search LDAP/Active Directory, such as an administrator. However, a weaker user DN with only the privilege to search is usually sufficient. For example: cn=Administrator,cn=Users,dc=example,dc=com
  16. In the Password of Searching User text box, type the password associated with the distinguished name for a search operation. 
  17. To enable secure SSL connections to your Active Directory server, select the Enable LDAPS check box. If you enable LDAPS but did not set the Port value to the default port for LDAPS, a port message dialog box appears.
  18. To use the default port, click Yes.
  19. To use the port you specified, click No.
  20. To verify the certificate of the Active Directory server is valid, select the Validate server certificate check box.
  21. To specify optional attributes for the primary LDAP server, complete the Active Directory Server Optional Settings section.
    For more information about how to configure optional settings, see About Active Directory Optional Settings in Fireware Help.
  22. Click Save.

To add an Active Directory domain and server, from Policy Manager:

  1. Click Icon.
  2. Or, select Setup > Authentication > Authentication Servers.
    The Authentication Servers dialog box appears.
  3. Select the Active Directory tab.
    The Active Directory settings appear.
    User-added image
  4. Click Add.
    The Add Active Directory Domain dialog box appears.
    User-added image
  5. In the Domain Name text box, type the domain name to use for this Active Directory server.
    The domain name must include a domain suffix. For example, type example.com, not example.
  6. Click Add.The Add IP/DNS Name dialog box appears.
    User-added image
  7. From the Choose Type drop-down list, select IP Address or DNS Name.
  8. In the Value text box, type the IP address or DNS name of this Active Directory server.
  9. In the Port text box, type or select the TCP port number for the device to use to connect to the Active Directory server.
    The default port number is 389. If you enable LDAPS, you must select port 636. If your Active Directory server is a global catalog server, it can be useful to change the default port. For more information, see Change the Default Port for the Active Directory Server in Fireware Help.
  10. Click OK.
    The IP address or DNS name you added appears in the Add Active Directory Domain dialog box.
    User-added image
  11. To add another Active Directory server to this domain, repeat Steps 4–10.
    You can add up to two servers. Make sure the shared secret is the same on all the Active Directory servers you specify.
  12. In the Timeout text box, type or select the number of seconds the device waits for a response from the Active Directory server before it closes the connection and tries to connect again. If your Active Directory server is a global catalog server, it can be useful to change the default port. For more information, see Change the Default Port for the Active Directory Server in Fireware Help.
  13. In the Dead Time text box, type or select a time after which an inactive server is marked as active again.
  14. From the Dead Time drop-down list, select minutes or hours to set the duration. After an authentication server has not responded for a period of time, it is marked as inactive. Additional authentication attempts do not try this server until it is marked as active again.
  15. In the Search Base text box, type the location in the directory to begin the search. The standard format for the search base setting is: ou=name of organizational unit;dc=first part of the distinguished server name;dc=any part of the distinguished server name that appears after the dot. To limit the directories on the authentication server where the device can search for an authentication match, you can set a search base. We recommend that you set the search base to the root of the domain. This enables you to find all users and all security groups to which those users belong. For more information, see Find Your Active Directory Search Base in Fireware Help.
  16. In the Group String text box, type the attribute string that is used to hold user security group information on the Active Directory server.
    If you have not changed your Active Directory schema, the security group string is always memberOf.
  17. In the Login Attribute text box, type or select an Active Directory login attribute to use for authentication.
    The login attribute is the name used for the bind to the Active Directory database. The default login attribute is sAMAccountName. If you use sAMAccountName, you do not have to specify a value for the DN of Searching User and Password of Searching User settings.In the DN of Searching User text box, type the distinguished name (DN) for a search operation. If you keep the login attribute of sAMAccountName, you do not have to type anything in this text box. If you change the login attribute, you must add a value in the DN of Searching User text box. You can use any user DN with the privilege to search LDAP/Active Directory, such as an administrator. However, a weaker user DN with only the privilege to search is usually sufficient. For example: cn=Administrator,cn=Users,dc=example,dc=com
  18. In the Password of Searching User text box, type the password associated with the distinguished name for a search operation.
  19. To enable secure SSL connections to your Active Directory server, select the Enable LDAPS check box.
    If you enable LDAPS but did not set the Port value to the default port for LDAPS, a port message dialog box appears.
  20. To use the default port, click Yes.
  21. To use the port you specified, click No.
  22. To verify the certificate of the Active Directory server is valid, select the Validate server certificate check box.
  23. To specify optional attributes for the primary LDAP server, click Optional Settings
    For more information about how to configure optional settings, see About Active Directory Optional Settings in Fireware Help.
  24. To add another Active Directory domain, repeat Steps 4–23.
    Make sure the shared secret is the same on all the Active Directory domains you specify.
  25. Click OK.
  26. Save the Configuration File.