Creating customized HTML-pages

As mentioned earlier, it is possible to customize the look of the pages that is presented to the user at authentication time. Some, or all of the nine different pages that are supported, can be defined.

• FORM based login page - If ?ogin Type? in the User Authentication Rules section, is set to FORM, this page is presented to the user when he surfs to the firewall. It should feature two fields, called ?sername?and ?assword? This information should then be POST?d into a local file called ?span style="font-style: italic;">loginuser?
  
  Filename: ?span style="font-style: italic;">FormLogin.html?/p>

• User authentication was successful - This message is sent after a successful user authentication. It is possible (but not necessary) to provide a link to let users logout. Simply create a link to a local file called ?ogout? like this ?ress <a href="logout">here</a> to log out?
  
  Filename: ?span style="font-style: italic;">LoginSuccess.html?/p>

• User authentication failed - This message is sent if the user authentication failed (the user most likely entered a bad username or bad password).
  
  Filename: ?/span>LoginFailure.html?/span>

• User authentication was already done - This message is sent if an already authenticated user tries to authenticate again.
  
  Filename: ?span style="font-style: italic;">LoginAlreadyDone.html?/p>

• User authentication challenge presented - This message is sent in case the RADIUS server issues a Challenge for the user to answer.
  
  Filename: ?span style="font-style: italic;">LoginChallenge.html?/p>

• User authentication challenge timed out - This message is sent when the challenge presented by the RADIUS server has timed out, and the user answers too late.
  
  Filename: ?span style="font-style: italic;">LoginChallengeTimeout.html?/p>

• User logout was successful (from a FORM-based login) - This message is sent if an authenticated user, who logged in from a FORM-based login screen decides to manually log out.
  
  Filename: ?span style="font-style: italic;">LogoutSuccess.html?/p>

• User logout was successful (from a BASICAUTH-based login) - It might be preferable to show a special ?ogout Success?page if the user logged in via BASICAUTH, telling the user that the entered name and password might still be stored in the browser-cache.
  
  Filename: ?span style="font-style: italic;">LogoutBasicAuthSuccess.html?/p>

• User logout failed - This message is sent if logout was unsuccessful (probably because the user had already timed out and thus have been automatically removed by the firewall).
  
  Filename: ?span style="font-style: italic;">LogoutFailure.html?/p>

This maximum allowed file size for each HTML page is 10 Kilobytes. Note that links to local picture-files are not allowed.

Two of these pages also support a special ?ag? called ?USER%? When the firewall encounters this tag, it will substitute this tag with the actual username, as entered by the user. This tag is only valid in the ?oginSuccess.html?and ?oginChallenge.html?files. If encountered in any another files, it will be regarded as standard text, and will not be substituted. There is also a tag called "%IPADDR%" which will be substituted with the IP address of the client, it is only valid in ?/span>LoginFailure.html?/span>, ?oginSuccess.html?and ?oginChallenge.html?files.

The ?oginchallenge.html?page deserves some extra explanation. Some authentication servers use a so-called Challenge-Response scheme to authenticate users. In short, it can be described as follows (from a RADIUS server perspective):

1. User sends username and password to the RADIUS server (or firewall, which in this case acts as relay to the actual RADIUS server)

2. The RADIUS server decides that it requires additional information to perform the authentication, so the user is challenged to encrypt an unpredictable number. This challenge, containing the unpredictable number, is returned to the client, often along with a reply-message telling the user exactly what to do (e.g., ?nter this number in your hardware-device and return the answer?.

3. The user encrypts this number, usually using a hardware device, and returns the response to the RADIUS server.

4. The RADIUS server verifies that the result is correct, and either accepts or rejects the authentication.

This page supports a special tag, the %CHALLENGE_MESSAGE% tag. When the firewall encounters this tag, it substitutes it with the reply-message returned by the RADIUS server.

A few other items must also be present in this HTML file. A Username field (which might be hidden), and a Password field are required. This information needs to be sent to a local file called challenge using the HTTP-method POST.

Examples of all these files are included in the subdirectory called DefaultHTMLPages in the directory where the firewall manager is installed.

In order to be able to present different HTML pages for different user authentication rules, the firewall needs to know which pages belong to which user authentication rules. This short ?ow-to?explains how this is done:

1. When the Amaranten Firewall was installed, a directory called ?TTPAuth HTML Root? located in the directory where the Amaranten Firewall Manager was installed, was created. It contains one subdirectory, called ?ample pages? Open up the Amaranten Firewall Manager, enter the Security Editor, and click on properties on the firewall. Chose the ?ptions? tab, and enter the path to this ?oot?directory in the ?ath to the HTML banner files?
   
   

2. Using Windows-explorer, create a subdirectory in the ?TTP Auth HTML Root?directory, e.g. ?alespages? The root directory should now contain two directories, ?ample Pages?and ?alespages?/p>

3. Place the customized pages that users matching a specific User Authentication Rule should be presented with in that directory. It might be preferable to copy the pages found in the ?ample Pages?directory into the new directory, and edit them instead of creating brand new ones.

4. Enter a new (or edit an old) User Authentication Rule, and click on the ?gent Option?tab. In the ?TML Directory?field, the directory containing the appropriate customized HTML files, e.g. ?alespages? should be chose able.
   
   
   
   Repeat step 3-5 if there is a need for customizing other User Authentication Rules.

5. Now, to upload these files to the firewall, select the firewall and select ?pload HTML Banner Files?under the Action->Communication menu.
   
   

If these pages are updated at a later time, remember to upload them to the firewall, using step 6. In order for the changes to take affect, the firewall must be reconfigured.