“Available methods” tab

This screen offers the choice of one or several authentication methods and their configuration.

Authentication methods

The left column is dedicated to the list of authentication methods. The right column displays the options for setting the selected authentication method.

The button Add a method opens a drop-down list that offers a choice of 8 authentication methods that you can Delete if necessary. These methods are:

  • LDAP
  • SSL Certificate (SSL)
  • RADIUS
  • Kerberos
  • Transparent authentication (SPNEGO)
  • SSO Agent
  • Guest method
  • Temporary accounts
  • Sponsorship method

When temporary account management is enabled on the firewall, the Temporary accounts method will automatically appear in the column of authentication methods.

LDAP

Go to the menu Users\Directory configuration to access the configuration. The configuration of this method is automatic and requires the implementation of an LDAP database.

SSL Certificate (SSL)

After having selected your authentication method from the left column, you may enter information about it in the right column, which sets out the following elements:

List of trusted certificate authorities (CA)

The SSL authentication method accepts the use of certificates that have been signed by a certification authority outside the Firewall. This certification authority has to be added in the configuration of the Firewall so that it accepts all certificates that have been signed by this authority.

If the certification authority itself is signed by another certification authority, it can then be added to the list of trusted CAs in order to create a “Trusted CA chain”.

If a trusted CA or trusted CA chain is specified in the configuration of SSL authentication, it will be added to the Firewall’s internal CA, which is implicitly checked as soon as there is a valid internal root authority on the Firewall.

Add

Adding a certification authority to a list of trusted certification authorities allows the recognition of this authority and the validation of all certificates signed by this certification authority.

By clicking on Add, then on the icon that appears on the selected line, you will access the CA window (Cf. Certificates and PKI).

 

If the certificate authority you wish to trust is not in the list of external certificates, click on Select in the external certificate window to add this certificate authority to the list.

 

Firewalls support multi-level root authorities – the certificate of the user to be authenticated is signed by a certificate authority, which is itself signed by a higher authority. You can insert the whole certification chain created by this multi-level root authority.

 

In order for the chain to be correctly applied, it is important that you insert every link in the whole chain of authorities between the highest authority you have inserted to the authority just above the user certificate.

Delete

Deletes the selected certificate authority.

Certificate authority (C.A): This field displays the certificates you wish to trust and which you will use.


It is possible to modify the subject field of the certificate that will be used for finding the user in the LDAP. The LDAP field used for the search can also be modified. By default, the e-mail address is used in both cases. These settings can be configured in CLI.

Advanced configuration

You can enable searches in several LDAP directories.

Various criteria can therefore be defined: for a given directory, you can indicate a character string to look for in a specific field in the certificate. This string needs to be defined in the form of a regular expression.

Enable searching in several LDAP directories (SSL authentication)

Selecting this checkbox enables searches for users in several LDAP directories and provides access to the search criteria grid.

List of search criteria

Each criterion is defined by a certificate field, a regular expression and an LDAP directory.

You can Add, Delete, or move a criterion Up or Down the list using the relevant buttons. These criteria are assessed according to the order defined in the grid.

Field

This drop-down list makes it possible to select the specific field in the certificate that will be queried with character strings.

Regular expression Enter the regular expression that defines the character strings to look for in the certificate's field.
Domain or directory Select the LDAP directory to query in order to authenticate users if the field defined in their certificates contains a string corresponding to the regular expression.

RADIUS

RADIUS is a standard authentication protocol running in client-server mode. It allows defining network access for remote users. This protocol is equipped with a server linked to an identification database (e.g. LDAP directory). The Stormshield Network firewall can act as a RADIUS client and can therefore address authentication requests for users wishing to pass through the Firewall, to an external RADIUS server. The user will only be authenticated on the Firewall if the RADIUS server accepts the authentication request sent by the Firewall.

All RADIUS transactions (communications between the Firewall and the RADIUS server) are themselves authenticated using a pre-shared secret, which is never transmitted over the network. This same secret will be used to encrypt the user password, which will pass through the Firewall and RADIUS server.

After having selected your authentication method from the left column, you may enter information about it in the right column, which sets out the following elements:

Access to the server

When the RADIUS method is selected, RADIUS authentication will be enabled. This menu will allow you to specify information relating to the external RADIUS server used and a backup RADIUS server. For each of them, the configuration requires the following information:

 

Server

IP address of the RADIUS server.

Port

Port used by the RADIUS server. By default, the port 1812 / UDP named RADIUS is selected.

Pre-shared key

Key used for encrypting exchanges between the firewall and the RADIUS server.

Backup server

Server

IP address of the backup server.

Port

Port used by the backup server if the main server is no longer available. By default, the port 1812 / UDP named RADIUS is selected.

Pre-shared key

Key used for encrypting exchanges between the firewall and the backup server.

REMARK

The Firewall will attempt to connect twice to the “main” RADIUS server, and in the event of failure, will attempt to connect twice to the “backup” RADIUS server. If the backup RADIUS server responds, it will become the main RADIUS server. After 600 seconds, a new switch will take place, and the original “main” RADIUS server will become the “main” server again.

Kerberos

Kerberos is different from other authentication methods. Instead of letting authentication take place between each client host and each server, Kerberos uses symmetrical encryption, the key distribution center (KDC, Key Distribution Center) to authenticate users on a network.

During the authentication process, the Stormshield Network Firewall acts as a client which requests authentication on behalf of the user. This means that even if the user has already authenticated with the KDC to open his Windows session, for example, it is still necessary to re-authenticate with this server even if connection information is the same, in order to pass through the Firewall.

After having selected your authentication method from the left column, you may enter information about it in the right column, which sets out the following elements:

Domain name (FQDN)

Domain name assigned to the Active Directory server for the Kerberos authentication method. Defining this domain name allows masking the server’s IP address and simplifying the search for it.

Example: www.company.com: company.com represents the domain name, which is more legible than its corresponding IP address: 91.212.116.100.

Access to the server

Server

IP address of the server for the Kerberos authentication method (Active Directory for example)

Port

Port used by the server. By default, the port 88 / UDP named Kerberos_udp is selected.

Backup server

Server

Backup IP address of the Active Directory server for the Kerberos authentication method

Port

Port used by the backup server if the main server is no longer available. By default, the port 88 / UDP named Kerberos_udp is selected.

Transparent authentication (SPNEGO)

The SPNEGO method enables Single Sign On to function in web authentication with an external Kerberos authentication server. This means that a user who connects to his domain via a Kerberos-based solution would be automatically authenticated on a Stormshield Network Firewall when he accesses the internet (requiring authentication in the filter policy on the Firewall) with a web browser (Internet Explorer, Firefox, Mozilla).

In order to implement this method, you must first execute the KEYTAB generation script spnego.bat on the domain controller. This script is available in your secure area, in the Knowledge Base (article "Where can I find the last version of the ''spnego.bat'' script?").

REMARK

The parameters requested when the script is executed are case-sensitive and must be strictly followed as they cannot be modified later. In the event of an error, a backup of the domain controller has to be restored in order to continue with the installation.

For firewalls that have not been configured in high availability, it is advisable to indicate the serial number of the firewall instead of its name to identify it (this name corresponds to the name indicated in the Stormshield Network script that comes with the installation hardware). The Service name will be the serial number preceded by “HTTP/”. Example: HTTP/U70XXAZ0000000

For firewalls in high availability, since the identifier has to be the same for both appliances, you are advised to use the name of the authentication portal’s certificate (CN) entered in the Captive portal tab in the Authentication module.

SPNEGO can be configured on the firewall with the options explained in the table below:

Service name

This field represents the name of the Kerberos service used by the firewall, obtained after the spnego.bat script has been executed.

Domain name

Kerberos server’s domain name. This domain name corresponds to the full name of the Active Directory domain. It has to be entered in uppercase.

KEYTAB

This field represents the shared secret, generated when the script is used on Active Directory. This secret has to be provided to the firewall so that it can communicate with Active Directory. It is also provided by the spnego.bat script

SSO Agent

Single Sign-On (SSO) allows a user to authenticate only once to access several services. 

The SSO agent method requires the installation of the Stormshield Network SSO Agent application, a Windows service that allows Stormshield Network firewalls to benefit from a seamless authentication on Windows Active Directory. Please refer to the technical note Stormshield Network SSO Agent - Installation and deployment for instructions on how to install this application.

When a user logs on to the Windows domain by opening his session, he will automatically be authenticated on the firewall. The principle is as follows: the SSO agent gathers information on the identification of a user on the domain by connecting remotely to the event viewer on the domain controller. The SSO agent then relays this information to the firewall through an SSL connection, which updates its table of authenticated users.

From version 3 of the firmware onwards, up to 5 SSO agents can be declared, thereby making it possible to manage authentication on 5 Windows Active Directory domains without approval relationships. These domains must be declared beforehand as external Microsoft Active Directory types of LDAP directories (Users > Directory configuration module). Additional SSO agents will be named SSO Agent 1, SSO Agent 2, etc.

After having added this method, you can enter the information relating to its configuration.

SSO Agent

Domain name

Select the Microsoft Active Directory corresponding to the domain on which users will be authenticated. This directory must be configured beforehand through the Directory configuration module.

 
SSO Agent
IP address

IP address of the server for the machine hosting Stormshield Network SSO Agent.

Port

By default, the port "agent_ad" is selected, corresponding to port 1301. The protocol used is TCP.

Pre-shared key

This key is used for SSL encryption in exchanges between the SSO agent (machine hosting Stormshield Network SSO Agent) and the firewall.

Enter the pre-shared key (password) defined during the installation of the SSO agent.

Confirm pre-shared key

Confirm the pre-shared key/password that was typed in the previous field.

Pre-shared key strength

This field indicates your password’s level of security: “Very Weak”, “Weak”, “Medium”, “Good” or “Excellent”. The use of uppercase and special characters is strongly advised.

SSO backup agent

The fields for configuring the backup SSO agent are the same as those for the main agent.

Domain controller

You will need to add all the domain controllers that control the selected Active Directory domain. They have to be saved in the firewall’s object database.

Add a domain controller

Click to select or create the corresponding object. You will need to add all the domain controllers that control the Active Directory domain. They have to be saved beforehand in the firewall’s object database.

NOTE

The firewall manages a single domain, as only a single directory can be configured.

Advanced properties
Maximum authentication duration

Define the maximum duration for the session of an authenticated user. After this period, the firewall will delete the user from its table of authenticated users, thereby logging out the user.

 

This duration is to be defined in seconds or minutes. It is set by default to 36000 seconds, or 10 hours.

Refresh user group updates

If the Active Directory has been configured on the firewall (Directory configuration module), the firewall will check for possible changes made to LDAP directory groups. The firewall will then update its directory configuration then send this information to the SSO agent.

 

This duration defined in seconds, minutes or hours, is set by default to 3600 seconds, or 1 hour.

 

Disconnection detection

This option allows deleting authenticated used when an associated host logs off or when a session is shut down. This test to detect which hosts are connected to the firewall is carried out either by pinging or by the registry database method.

If this method is not enabled, the user will only be disconnected after the defined authentication period, even if his session is shut down.

Detection method

Select a log off method from PING  or Registry database:

PING

THE SSO agent tests the accessibility of all hosts authenticated on the firewall every 60 seconds by default.

If it gets a host unreachable response or no response is received from an IP address after the period defined hereafter, the SSO agent will send a logoff request to the firewall. The firewall will then delete the user associated with this IP address from its table of authenticated users, thereby logging out the user.

Registry

The Registry database (BDR) is a database used by the Windows operating system to store information about the system’s configuration and installed software. This method allows, for example, detecting a closed session on a host that is still running.

In the event of a positive response to the ping, the SSO agent will log on remotely to the host and check in the Registry database the list of users with a session open on the host. This allows updating the firewall’s table of authenticated users.

 

Consider as disconnected after

If a host does not respond to the ping after this period, it will be considered disconnected. The firewall will then delete the user associated with this host from its table of authenticated users.

This duration defined in seconds, minutes or hours, is set by default to 5 minutes.

Disconnection detection

This option allows deleting authenticated used when an associated host logs off or when a session is shut down. This test to detect which hosts are connected to the firewall is carried out either by pinging or by the registry database method.

If this method is not enabled, the user will only be disconnected after the defined authentication period, even if his session is shut down.

 

Enable DNS host lookup

This option allows managing changes to the IP addresses of user workstations and authenticating users who have logged on to hosts that have several IP addresses.

Guest method

This mode allows identification without authentication, for access to a public Wi-Fi network, for example. This method automatically activates the display of the conditions of use for internet access. These conditions can be customized in the Captive portal tab. By default, the frequency of this display confirming the authentication is 18 hours and can be modified in the settings for this method (disclaimertime).

When these “guest” users log on, these events will be logged with the addition of source MAC addresses. This identification is checked every 4 hours, and this parameter can be set in the following CLI command:

CONFIG AUTH GUEST (example: state=1 logontime=14400disclaimertime=64800)

NOTE 

In the security policy, the User object to select to match the Guest method is “All”.

Display frequency of the Conditions of use for internet access

With this method, the Conditions of use for internet access – commonly known as Disclaimer – are systematically shown to the user. A checkbox to indicate the user’s agreement has to be checked before the user can authenticate.

 

These conditions can be customized in the “Captive portal” tab.

 

If the feature has also been enabled in the profiles of the captive portal, this display frequency will be different from the one configured for the other methods.

Temporary accounts

This service enables the management of accounts with a limited validity duration. These accounts are meant to provide temporary public Internet access to persons outside the organization. Temporary accounts are not saved in the LDAP directory(ies) declared on the firewall.

Default validity duration of a new user account (days)This field allows setting a validity duration (in days) that will be suggested by default when a new temporary account is created.
Go to the list of temporary accountsThis shortcut will redirect you to the module Users > Temporary accounts to allow you to manage (add, modify, delete) these accounts.

Sponsorship method

This mode enables identification without authentication through the captive portal. The sponsored party will need to enter his/her first name and last name and his/her sponsor's email address. The sponsor will then receive an email containing a link to confirm this request. After the request has been validated, the sponsored party will automatically be redirected from the captive portal to the requested web page.

Minimum authentication duration

Define the minimum duration of a session for a sponsored user.

 

This duration is to be defined in minutes, hours or days. It is set by default to 15 minutes.

Maximum authentication duration

Define the maximum duration of a session for a sponsored user. After this duration has lapsed, the firewall will log off the user.

 

This duration is to be defined in minutes, hours or days. It is set by default to 240 minutes, or 4 hours.