Skip to main content
Skip table of contents

Configuring an external web server for authenticating gateway users

The Blue Cedar Connect Gateway allows you to use a backend web server as an authentication provider for authenticating users. The gateway can authenticate against any backend server that can perform either Basic Authentication or forms-based authentication over HTTPS. To enable this feature, configure a web authentication provider with the server’s URL.

To use the web authentication feature on the gateway, complete these two steps before you configure the gateway:

  • Make sure the remote server has installed a certificate that is trusted by the gateway. The certificate for the remote server is issued by a trusted certificate authority (CA).
  • Configure the gateway for the trusted-certificate-authority that issued the certificate for the remote server. This configuration step registers the CA as trusted by the gateway. For details, see "Configuring Trusted Certificates" at Configuring AAA Public Key Infrastructure.

The configuration steps are:

  • Set the auth-provider type as web-auth.
  • Set the name of the auth-provider.
  • Set the URL of the web server that serves as the authentication provider for the gateway.
  • Set the authentication type (basic or form-based). 

Using basic authentication

% set aaa auth-provider web-auth externalWebAuth server-url 
auth-type BasicAuth email-cookie-name emailCookieName

Using form-based authentication

% set aaa auth-provider web-auth externalWebAuth server-url 
auth-type FormAuth username-form-name username password-form-name password email-cookie-name emailCookieName

web-auth externalWebAuthUnique identifier to appear in the auth-group provider list. This identifier cannot share the same name as an Active Directory server entry, and it cannot be the reserved string “local”.
server-url https://domain/path

URL to the external server for authentication. A valid URL must:

  • Perform HTTP Basic authentication
  • Return an "HTTP 200 OK" code when the user is permitted
  • Return an HTTP error on failure.

Specifies whether HTTP Basic authentication or Form-based authentication is used to authenticate the connection. Values:

email-cookie-name emailCookieName

If an HTTP cookie with a key matching the value of this parameter is present, then the gateway uses the cookie value as the user’s email address during certificate enrollment. Default: email

identity-cert-name certnameName of an existing identity-certificate to use for mutual SSL authentication with the web authentication server.
username-form-name username

If the auth-type is FormAuth, the gateway uses this value as the key for the username in the form-urlencoded data set. Default: USER

password-form-name password

If the auth-type is FormAuth, the gateway uses this value as the key for the password in the form-urlencoded data set. Default: PASSWORD

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.