The R3000 senses network traffic on one interface and issues block packets on second interface. This is best practice configuration for scability. The R3000 can sense and issue block packets on same interface but performance will be limited.
The 8e6 R3000 authentication setup requires addition of virtual network interface to one of the R3000 physical network ports. This virtual "authentication address" is typically added to the "block page" interface (ie. the same interface you use for administration).
When deploying R3000 in by-pass (invisible) mode, the sense interface should keep the non-sensical 1.2.3.4/32 address. This is a best practice for reasons apparent during any routing and authentication troubleshooting.
Insure that R3000 can communicate to Directory Server over port #389. If R3000 deployed on DMZ (or other firewall controlled subnet), port #389 traffic to Directory Server may be blocked.
The R3000 requires unique Directory user account to be used for connection and searches by R3000 LDAP client. This account should be unique to 8e6 platform (eg. “8e6 filter”) and should have read/search permissions for user/group containers. The full Directory Server object “DN” (distinguished name) of this account is required to configure 8e6 authentication (ie. X.500 address). Reference. http://en.wikipedia.org/wiki/Active_Directory#Naming

Example: “cn=8e6bind account,ou=users,dc=domain,dc=com”.

Note that recent R3000 software releases (v1.10.20+) include "DN lookup utility" for Active Directory that allows you to enter username/password and have DN value auto-populated in Authentication setup.
The “CN” (ie. common name) value in user “DN” (distinguished name) is concatenation of First plus Last name values.

Example: “cn=8e6bind account,ou=users,dc=domain,dc=com”.

For transparent Windows Domain or Novell eDirectory integration for (a) policy, and (b) username reporting: The R3000 itself requires two unique IP address (one for mgmt interface, one for authentication virtual address).
Production roll-out of transparent client authentication does require a one-line entry to global login script. Local testing of transparent client authentication should occur prior to modification of global login script.
8e6 authentication setup requires "domain label" value. This is NOT an arbitrary value but specifically requires the left hand value of your LDAP-Directory's base suffix. For Windows Domains, the "domain label" value is typically the domain used when adding workstations to domain. General Example: for domain of "lab.dirsec.com", the base suffix in Directory Service would be "dc=lab,dc=dirsec,dc=com", the "domain label" for 8e6 authentication setup would be "lab".
(Active Directory) Must know whether Active Directory deployment is “native-mode” (no WINS) or “mixed-mode” (support legacy NTLM and WINS).
(Active Directory) The "domain label" for Windows Domain can be determined with following command Visual Basic script (issued from workstation logged into domain). Syntax from windows CMD prompt: “cscript netbios.vbs”. http://dirwiki.dirsec.com/twiki/pub/Vendors/TechNotes8e6/netbios.zip

8e6 Domain Integration Notes

Things to keep in mind about domain integration:

you should know whether your Windows 2003 domain controller is "native mode" or "mixed mode". A "mixed mode" Windows 2003 Server is for legacy compatibility with older NT/2000 domain controllers and WINS server(s). A "native mode" Windows Server domain conntroller stores everything NOS-related in DNS (ie. WINS not needed).
The 8e6 R3000 domain setup "wizard" attempts to auto-detect domain controller type ("mixed" or "native" mode). The default security policy in place on Windows Server 2003 "native mode" doensn't allow the anonymous query that allows R3000 to determine mode (ie. will default to "Other" in Directory-type tab).
8e6 "authentication" is required for (a) user/group-based filter profiles, and/or (b) usernames in usage reports. If you want either functionality, you must have some type of 8e6 authentication in place.
Your two "authentication" mechanisms available for domain integration (note: both can co-exist together for environments where you have mix of windows clients and Mac OS, Linux, or contractor (non domain registered computer):
1. "transparent" via 8e6_Authenticator agent (win32 executable).
2. web-based authentication (time or session-based profile).
"Transparent" 8e6 authentication means end-user unaware of 8e6 authentication event during domain logon.
"Transparent" 8e6 domain integration requires execution of 8e6_Authenticator win32 application on end-user desktop during domain logon.
8e6_Authenticator executable typically placed on read-only administrative network share and referenced from login script (or Group Policy "rule these programs...").
The execution of 8e6_Authenticator accomplished via one of two ways (both are AD Group Policies):
1. global domain login script
2. "Run these programs at user logon" property of Group Policy editor

Active Directory Group Policy Reference

Group Policy Overview:

http://msdn2.microsoft.com/en-us/library/aa371968.aspx

Check following information about "Group Policy Management" for Windows 2000 and 2003-based domains. The Group Policy Object Editor is a tool that hosts MMC extension snap-ins that manage policy settings.

http://msdn2.microsoft.com/en-us/library/aa374163.aspx

Extensions to the Group Policy Object Editor. We are leveraging Administrative templates.

http://msdn2.microsoft.com/en-us/library/aa373511.aspx

The Group Policy Management Console (GPMC) unifies Group Policy management across an enterprise.

http://msdn2.microsoft.com/en-us/library/aa814316.aspx

Example #1: using Group Policy Editor to execute script and/or application during domain logon

From MIT (smart guys): Group Policy for user logon

http://web.mit.edu/acs/windows/gpsettings.html#userlogon

From MIT: this discusses Group Policy for logoff script (ie. not logon script), but mentions logon and has good caveats:

http://web.mit.edu/is/topics/windows/server/winmitedu/extensions.html#logoffscripts

Example #2: How to setup a GPO to run Logon Scripts

http://isweb2.memphis.edu/umad/documents/LogonScript.htm

Example #3: manage local computer policy

reference:

http://forums.techguy.org/windows-nt-2000-xp/94793-start-up.html

NOTE: If you do not want to edit the Local Computer policy, click Browse to locate the group policy object that you want. Supply your user name and password if prompted, and then click Finish when you return to the Select Group Policy Object dialog box.

Click Close, and then in the Add/Remove Snap-in dialog box, click OK.
In the left pane of the Group Policy snap-in, expand Local Computer Policy, expand Computer Configuration, and then expand Administrative Templates.
Expand the System object, click the Logon object, and then in the right-pane, double-click Run these programs at user logon.
Click Enabled, and then click Show.
Click Add, type the name of the executable program (.exe) file or document that you want, and then click OK. You must specify the path to the file unless it is located in the %Systemroot% folder.

Example #4: logon script addition for 8e6 Authenticator (.bat file)

8e6_Authenticator win32 agent executes on end-user client at domain logon. This Authenticator provides the client piece of username identification and R3000 uses username information to correlate group membership for application of policy (if based on AD group membership, etc).

The 8e6_Authenticator is typically spawned on end-user client via one line entry in login script (applied globally or based on GPO for specific OrgUnits):

start "" \\<server>\<share>\authenticat.exe RA[r3000_auth_IP]

Notes:

Alternatively, the 8e6_Authenticator will pull configuration from authenticat.cfg (when present in same location).
the quotes ("") are what's returned in end-user command prompt at time of execution ...

Example #5: VB script examples (.wsf file)

Below are two code snippets that can be used to transparently launch 8e6 Authenticator agent and avoid Windows Command Prompt pop-up (ie. command prompt inherent with .bat script execution -- see previous example).

Note: WSF file is "windows scripting file". http://msdn2.microsoft.com/en-us/library/15x4407c.aspx

======= contents below in file with .wsf extension ====
<package>
<job>
<script language="VBScript">
 
set WshShell = WScript.CreateObject("WScript.Shell")

WshShell.Run "\\<host>\<share>\authenticat.exe RA[r3000_auth_IP]"

WScript.Quit

</script>
</job>
</package>

======= END contents, do not include this line ========

====== contents below in file with .wsf extension ==========

<package>
<job>
<script language="VBScript">

option explicit
 
Dim WSHShell
Set WSHShell = WScript.CreateObject("WScript.Shell")
 
dim strAC
 
strAC = "\\<host>\<share>\authenticat.exe RA[r3000_auth_IP]"
 
WSHShell.Run strAC, 1, FALSE
Set WSHShell = Nothing

</script>
</job>
</package>

======== END contents, do not include this line ============

Web-based Authentication

The 8e6 web-based authentication options provide either time- or session-based filter profiles (tier2 and tier3, respectively).

Important:

8e6 web-based authentication requires forward and reverse DNS entries for R3000 hostaname (ie. DNS A or CNAME "forward" records and DNS PTR "reverse" record). 8e6 web-based form will produce error without the PTR "reverse" record.
The R3000 hostname should be a FQDN (full hostname with domain).
The R3000 web-based authentication form defaults to SSL-enabled connection. This requires a separate SSL server certificate to be installed. The 8e6 R3000 comes with self-signed "dummy" certificate and should be replaced with commerical or server certificate issued by private Certificate Authority. http://verisign.com/, http://thawte.com/, http://geotrust.com/

Placing Web-Authentication Link on Web Page

Troubleshooting:

There are multiple potential stumbling blocks on road to full domain integration. When correctly setup the AD integration with 8e6 is very reliable, but there are a few moving pieces to the solution to understand for implications.

General troubleshooting overview for 8e6 authentication:

insure Authentication virtual IP in same subnet as block/mgmt interface.
insure Authentication virtual IP on same interface as block/mgmt interface (eg. 'eth1').
domain label is left-hand DC value of your Active Directory base suffix. This must be correct.
- example: base suffix of "dc=lab, dc=dirsec,dc=com" means 8e6 LDAP domain label is "lab".
8e6 authentication involves two things: R3000/AD communication (setup in R3000 mgmt) and client-side 8e6_Authentication software. The Authenticator is spawn on end-user desktop as AD GPO or global login script.
The command-line syntax for launch of 8e6_authentication is "authenticat.exe RA[<virt_IP>]".
- example: "authenticat.exe RA[192.168.4.100]"
The argument for 8e6_authentication is the 8e6 virtual IP used in Authentication setup. Note: this address does not respond to PING.
Look for LOGON events in R3000: // System tab // Diagnostics // View Log File // User Name Log. LOGON event will show username, IP, and rule. If you don't see LOGON event, the 8e6 R3000 doesn't know about username...

8e6 Authenticator troubleshooting

Use telnet to double check network connectivity over port #139 between end-user desktop and R3000 Server.

example: "telnet <r3000-virtual-address> 139"

Insure end-user desktop used for testing is logged on to windows domain (ie. "local" computer logon will NOT work for 8e6_authenticator because not logged into windows domain).
Insure 8e6_Authenticator not already running on test end-user workstation (ie. kill any instances of authenticat.exe in Windows task manager).
Note that R3000 virtual authentication IP address will NOT respond to PING (but will repond to telnet on port #139).
When manually executing 8e6_Authenticator on test workstation, temporarily adding local logging can provide insight into any problems. Check 8e6_Authenticator installation guide for command line options. Note: would suggest first trying the "telnet test". Remember when manually executing on local workstation, the user session must be logged into domain (ie. not local system account).
Check User_Name_Log under R3000 Diagnostics for LOGON entry following execution of 8e6_Authenticator (executed as part of domain logon -- or manually via windows CMD window):