Contextual Intelligence Publishing - SonicWALL

Overview

Using Contextual Intelligence Publisher (CIP), Single Sign-On can be enabled for SonicWALL and non-managed devices. Once configured, end users will no longer need to authenticate to SonicWALL since the user credentials will be passed transparently from CIP. Integrating the two allows seamless identity-aware firewalling and greater ease of use for matching firewall traffic to individual users. The CIP integration currently provides the following values to SonicWALL:

  • Machine IP Address

  • MAC Address

  • Username

The purpose of this guide is to walk through the configuration requirements for sending identity information from CIP to SonicWALL.

Prior to working through this document, SonicWALL and SafeConnect must be installed and functional on the network. CIP must also be installed in the SafeConnect system.

Configure SonicWALL

Configure LDAP

LDAP is required for SonicWALL to associate role information to user accounts that are published by CIP.

In the SonicWALL console, navigate to “Users > Settings”, select “LDAP” as the “User authentication method” and click “Configure LDAP…”.

images/download/attachments/7187014/sw1.png

In the pop-up windows, carefully input the information for your LDAP server. Ensure that all tabs are reviewed so that the most optimal configuration is present. When complete, test the configuration using the “Test” tab by entering a valid username and password.

images/download/attachments/7187014/sw2.png

When complete, click “OK” on the bottom of the page.

images/download/attachments/7187014/sw3.png

Configure RADIUS SSO

In the SonicWALL console, navigate to “Users > Settings” and click “Configure SSO…”.

images/download/attachments/7187014/sw4.png

In the pop-up window, choose the “Users” tab and ensure “Use LDAP to retrieve user group information” is selected.

images/download/attachments/7187014/sw5.png

In the pop-up window, choose the “RADIUS Accounting tab > General Settings tab” tab and ensure “Enable SSO by RADIUS accounting” is checked and the Port number is set to 1813.

images/download/attachments/7187014/sw6.png

In the pop-up window, choose the “RADIUS Accounting tab > Accounting Client tab” and click “Add…” to create a new RADIUS client.

images/download/attachments/7187014/sw7.png

In the “Settings” tab, enter the IP address of the SafeConnect appliance (for cluster environments, enter the manager IP) and a shared secret that will be specific to this integration.

images/download/attachments/7187014/sw8.png

In the “RADIUS” tab, ensure “Log user out if no interim updates are received” is set to “Disabled”.

images/download/attachments/7187014/sw9.png

Click “OK” at the bottom of the window when completed.

images/download/attachments/7187014/sw10.png

Additional Settings

In the SonicWALL console, navigate to “Users > Settings” and ensure the following items are configured:

  • User Authentication Settings > Case-sensitive user names: unchecked

images/download/attachments/7187014/sw11.png

  • User Session Settings > Inactivity timeout (minutes): This number should be set relatively high to prevent users from timing out prematurely. OPSWAT recommends starting at 720 and adjusting up or down as needed.

images/download/attachments/7187014/sw12.png

  • User Session Settings for SSO-Authenticated Users > On inactivity timeout make all users inactive instead of logging out: Set this to true

  • User Session Settings for SSO-Authenticated Users > Age out inactive users after (minutes): This number should be set relatively high to prevent users from timing out prematurely. OPSWAT recommends starting at 720 and adjusting up or down as needed.

images/download/attachments/7187014/sw13.png

When complete, click “Accept” at the top of the page.

images/download/attachments/7187014/sw14.png

Configure Contextual Intelligence Publisher

Once SonicWALL is configured, open the SafeConnect Configuration at https://auth.impulse.com:8443/ConnectUI (auth.impulse.com can be replaced by the manager IP or a branded URL) and choose “Contextual Intelligence Publisher.” Click on “Add” and enter the following information:

  • Publisher: RADIUS Accounting

  • Name: A name to describe where CIP is publishing Data.

  • IP: The IP of the SonicWALL appliance

  • Port: RADIUS accounting port – the default of 1813 is recommended

  • Protocol: UDP

  • Shared Secret: The shared secret configured in SonicWALL.

Once everything is entered, click “Submit”. Once save, data will start being published to SonicWALL.

images/download/attachments/7187014/sw15.png

Verify Integration

In the SonicWALL console, navigate to “Users > Status”. When the integration is fully configured, users will appear in “Active User Sessions” section of the status page with “Auth. By SSO/RADIUS Acct.” as the Type/Mode.

images/download/attachments/7187014/sw16.png