Configuring an external web server for authenticating gateway users
The Blue Cedar Connect Gateway allows you to use a backend web server as an authentication provider for authenticating users. The gateway can authenticate against any backend server that can perform either Basic Authentication or forms-based authentication over HTTPS. To enable this feature, configure a web authentication provider with the server’s URL.
To use the web authentication feature on the gateway, complete these two steps before you configure the gateway:
- Make sure the remote server has installed a certificate that is trusted by the gateway. The certificate for the remote server is issued by a trusted certificate authority (CA).
- Configure the gateway for the trusted-certificate-authority that issued the certificate for the remote server. This configuration step registers the CA as trusted by the gateway. For details, see "Configuring Trusted Certificates" at Configuring AAA Public Key Infrastructure.
The configuration steps are:
- Set the auth-provider type as
web-auth. - Set the name of the auth-provider.
- Set the URL of the web server that serves as the authentication provider for the gateway.
- Set the authentication type (basic or form-based).
Using basic authentication
% set aaa auth-provider web-auth externalWebAuth server-url https://1.2.3.4/webAuth/basic
auth-type BasicAuth email-cookie-name emailCookieNameUsing form-based authentication
% set aaa auth-provider web-auth externalWebAuth server-url https://1.2.3.4/webAuth/basic
auth-type FormAuth username-form-name username password-form-name password email-cookie-name emailCookieName| Element | Description |
|---|---|
| web-auth externalWebAuth | Unique identifier to appear in the auth-group provider list. This identifier cannot share the same name as an Active Directory server entry, and it cannot be the reserved string “local”. |
| server-url https://domain/path | URL to the external server for authentication. A valid URL must:
|
| auth-type | Specifies whether HTTP Basic authentication or Form-based authentication is used to authenticate the connection. Values:
|
| email-cookie-name emailCookieName | If an HTTP cookie with a key matching the value of this parameter is present, then the gateway uses the cookie value as the user’s email address during certificate enrollment. Default: email |
| identity-cert-name certname | Name of an existing identity-certificate to use for mutual SSL authentication with the web authentication server. |
| username-form-name username | If the auth-type is FormAuth, the gateway uses this value as the key for the username in the form-urlencoded data set. Default: USER |
| password-form-name password | If the auth-type is FormAuth, the gateway uses this value as the key for the password in the form-urlencoded data set. Default: PASSWORD |