The Blue Cedar Connect Gateway allows you to use a backend web server as an authentication provider for authenticating users. The gateway can authenticate against any backend server that can perform either Basic Authentication or forms-based authentication over HTTPS. To enable this feature, configure a web authentication provider with the server’s URL.

To use the web authentication feature on the gateway, complete these two steps before you configure the gateway:

  • Make sure the remote server has installed a certificate that is trusted by the gateway. The certificate for the remote server is issued by a trusted certificate authority (CA).
  • Configure the gateway for the trusted-certificate-authority that issued the certificate for the remote server. This configuration step registers the CA as trusted by the gateway. For details, see "Configuring Trusted Certificates" at Configuring AAA Public Key Infrastructure.

The configuration steps are:

  • Set the auth-provider type as web-auth.
  • Set the name of the auth-provider.
  • Set the URL of the web server that serves as the authentication provider for the gateway.
  • Set the authentication type (basic or form-based). 

Using basic authentication

% set aaa auth-provider web-auth externalWebAuth server-url https://1.2.3.4/webAuth/basic 
auth-type BasicAuth email-cookie-name emailCookieName
BASH


Using form-based authentication

% set aaa auth-provider web-auth externalWebAuth server-url https://1.2.3.4/webAuth/basic 
auth-type FormAuth username-form-name username password-form-name password email-cookie-name emailCookieName
BASH


ElementDescription
web-auth externalWebAuthUnique identifier to appear in the auth-group provider list. This identifier cannot share the same name as an Active Directory server entry, and it cannot be the reserved string “local”.
server-url https://domain/path

URL to the external server for authentication. A valid URL must:

  • Perform HTTP Basic authentication
  • Return an "HTTP 200 OK" code when the user is permitted
  • Return an HTTP error on failure.
auth-type

Specifies whether HTTP Basic authentication or Form-based authentication is used to authenticate the connection. Values:

email-cookie-name emailCookieName

If an HTTP cookie with a key matching the value of this parameter is present, then the gateway uses the cookie value as the user’s email address during certificate enrollment. Default: email

identity-cert-name certnameName of an existing identity-certificate to use for mutual SSL authentication with the web authentication server.
username-form-name username

If the auth-type is FormAuth, the gateway uses this value as the key for the username in the form-urlencoded data set. Default: USER

password-form-name password

If the auth-type is FormAuth, the gateway uses this value as the key for the password in the form-urlencoded data set. Default: PASSWORD