“Authentication policy” tab
The filter table allows you to define the rules of the authentication policy to be applied through the firewall. High-priority rules are placed on top. The firewall executes rules in their order of appearance in the list (rule no. 1, 2 and so on) and stops as soon as it reaches a rule that matches the traffic that it processes. It is therefore important to define rules from most specific to most general.
If no rules have been defined in the policy or if the traffic does not match any of the specified rules, the Default method will be applied. If this method has not been configured or the action has been set to Block, all authentication attempts will be denied.
Actions on the rules of the authentication policy
Search by user
This field allows searching by user login. The rules assigned to this user appear in the table.
Example: If you enter “user1” in the field, all rules in the policy with “user1” as their source will appear in the table.
Inserts a rule – predefined or to be defined – after the selected line. There are 2 possible choices.
The User object to select to match the Guest method is “All”.
This method is incompatible with multi-user objects; all users connected in Guest mode must have different IP addresses.
It may allow the administrator to prioritize rules, for example, or group those that redirect traffic to different servers. You can collapse or expand the node of the separator in order to show or hide the rule grouping. You can also copy/paste a separator from one location to another.
Deletes the selected line.
Places the selected line before the line just above it.
Places the selected line after the line just below it.
Allows you to cut an authentication rule in order to move it.
Allows you to copy an authentication rule in order to duplicate it.
Allows you to duplicate an authentication rule after having copied it.
Defines one or several network objects authorized to allow several authentications on the same IP address. Click on “Add an object” and select from the drop-down list a host, network, IP address range or a group.
The SSO method does not allow “multi user” authentication.
Please refer to the last section Transparent or explicit HTTP proxy and multi-user objects.
Some operations listed in the taskbar can be performed by right-clicking on the table of authentication rules:
- New rule (Standard rule, Guest rule, Temporary accounts rule, Sponsorship rule, Separator - rule grouping),
The authentication policy allows creating rules based on a user or a group of users. It is also possible to target certain traffic by specifying its source. Click on the "New rule" button and select "Standard rule", "Guest rule", "Temporary account rule" or "Sponsorship rule" to launch the wizard.
Step 1: User authentication
Select the user or group concerned or leave the default value at “All”. This step is not offered for rules associated with the "Guest" or "Sponsorship" methods.
Step 2: Authentication source
Click on Add an interface or Add an object in order to target the source of the traffic affected by the rule. This may be the interface on which your internal network is connected (e.g.: IN interface) or the object corresponding to the internal networks (e.g.: Network_internals).
The SSO agent authentication method cannot be applied with an interface as a criterion. This method is based on authentication events collected by domain controllers, which do not indicate the source of the traffic. A rule combining an interface as the source and the SSO agent method is therefore not allowed.
The choice offered for the interface is the SSL VPN interface, indicating the interface on which users of an SSL VPN tunnel are connected.
Step 3: Authentication methods
This step is not offered for rules associated with the "Guest", "Temporary account" or "Sponsorship" methods.
Click on Authorize a method and select from the drop-down list the desired authentication methods. The Default method selected corresponds to the method selected in the tab “Available methods”.
The “Block” entry can also be selected. It will as such block any authentication attempt on traffic affected by the rule.
The authentication methods are evaluated in the order in which they appear on the list and from top to bottom. As the SSO agent method is transparent, it is by definition always applied as a priority.
To enable the new rule, double-click on the status “Disabled”.
Select the method that will be applied when the Default method is selected in the authentication policy. The methods offered are those added to the table of available methods.
Every rule can be dragged and dropped so that the authentication policy can be reorganized easily. The symbol as well as the "Drag and drop to reorganize" tool tip appear when you scroll over the start of the rule.
This table allows selecting network objects that enable several authentications from the same IP address. This allows, for example, accessing applications and data from a remote computer (TSE server) by applying user-based filtering.
You can Add or Delete a multi-user object by clicking on the corresponding buttons.
Some operations listed in the taskbar can be performed by right-clicking on the table of multi-user objects: