Use Firewall in User-Based mode with a RADIUS server

In this article, we will demonstrate how to use User Management with RADIUS server and set different policies for different user accounts. With this configuration, LAN clients are required to log in with their user account for Internet access. The administrator can set different rules for different user accounts. For example, we can create a rule to prohibit Facebook from most employees; On the other hand, the user with HR accounts can access the Internet without any limitations.

This document use VigorAP as RADIUS server as example.

On the RADIUS server (VigorAP)

1. Enable RADIUS server feature in RADIUS Setting >> RADIUS server.

2. Create User profiles: Type username and password then press the Add button to create the account.

3. Set up Authentication Client: Authentication Client are the hosts who will have the permission to send 802.1X authentication packets to the VigorAP. Type Client IP and Secret Key then press the Add button to add a new client.

On Vigor Router:

1. Go to User Management >> User Profile page, enable User based Mode and click OK.

 

2. Set a firewall filter that allows packets from the sever IP to pass: Go to Firewall >> Filter Setup, click Set 2, click an available rule.

1. Tick Check to enable the Filter Rule.
2. Enter a Comment.
3. Set Direction as LAN/DMZ/RT/VPN -> WAN.
4. Click Edit to set Source IP as the IP of server.

   a) Select Address Type as Single Address.

   b) Enter the Server IP to Start IP Address.

   c) Click OK to save.

5. Select Filter as Pass Immediately.
6. Click OK to save.

Note: If tick Check to Enable the Filter Rule makes this rule an Active Rule, that means all the packet will check if it matches the rule first. But with this IP configuration, only the packets from the IP address of server will pass, other packets that does not match the IP address will need user authentication, and the firewall rule applied to correspondent user accounts will then take effect.

 

4. Set a firewall rule to blocks facebook: Go to Firewall >> Filter Setup page, click Set 2, click an available rule.

1. Enter Comments.
2. For Filter, select Pass Immediately.

3. Select URL Content Filter, Web Content Filter and DNS Filter as the filter we set for blocking facebook.See Blocking a Website by URL Content Filter and DNS Filter and Block Social Networking Websites by Web Content Filter for more detail.

   

4. Click OK to save the rule.

Note: Do not tick Check to Enable the Filter Rule, this makes this rule an Inactive Rule, so it will be a policy that we can apply to a specific user account.

4. Create a user account for the employees: Go to User Management >> User Profile page, click an available profile to add an account.

1. Enable this account.

2. Enter the Username same as the username of Radius server.
3. Select Radius.
4. Set Policy as the one for blocking facebook which created in the previous step.
5. Click OK to save.

5. Create a user account for the HR: Go to User Management >> User Profile page, click an available profile to add an account.

1. Enable this account.
2. Enter the Username same as the username of Radius server.
3. Select Radius.
4. Set Policy as default.
5. Click OK to save.

 

Finally, LAN clients will have to log in when they try to access internet. If they log in with the employee account, they will not be able to access facebook.

 

When log in with the HR account, facebook works fine.