Configuring the authentication policy

This section explains how to configure the authentication policy to be implemented in order to deploy SSL VPN tunnels. You can click on Apply at any time to save your changes.

  1. Go to Configuration > Users > Authentication, Authentication policy tab.

  2. Identify the Method to use if no rules match.

Screenshot showing an example of an authentication policy on an SNS firewall in version 5. The method to use if no rules match is framed in red.

Proceed accordingly.

Case 1: The "LDAP" method is selected and only this method is used on the SNS firewall

The current configuration of the authentication policy will suffice. Continue to Configuring the captive portal.

Case 2: In all other cases

In all other cases (restricted only to authentication on the SNS firewall, use of multifactor authentication, etc.), you need to add at least two rules to the authentication policy to allow users to authenticate with the Stormshield SSL VPN client and set up SSL VPN tunnels.

For stronger security, we recommend creating these two rules for each user group that is setting up SSL VPN tunnels with the SNS firewall. However, you can also choose to create only two rules for all users, with no particular distinction.

The first rule allows users and Stormshield SSL VPN clients that are configured in Stormshield mode to connect to the SNS firewall's captive portal. Stormshield SSL VPN clients can then automatically retrieve the SSL VPN configuration, and send information that enables the SNS firewall to verify the client workstation's compliance (ZTNA).

  1. Click on New rule > Standard rule.

  2. In the User tab, select a user or user group from an SNS firewall directory (such as finance@domain.tld). If you wish to do so, select all the users in a directory by setting Any user@domain.tld. On SNS in version 5, you can also select all users from all SNS firewall directories by selected All users (any).

  3. In the Source tab, add the source interface of SSL VPN connections (e.g. out).

  4. In the Authentication methods tab:

    1. Delete the Default method row.

    2. Enable the method allowing users and Stormshield SSL VPN clients to connect to the SNS firewall's captive portal, e.g., LDAP or RADIUS.

    3. If a multifactor authentication method is used (authentication with a one-time password), set the One-time password selector to ON Image of selector set to "ON".

  5. Click on OK.

The second rule allows users to set up SSL VPN tunnels from their SSL VPN clients to the SNS firewall.

  1. Click on New rule > Standard rule.

  2. In the User tab, select the same user or user group as the one in the first rule.

  3. In the Source tab, add the SSL VPN interface.

  4. In the Authentication methods tab:

    1. Delete the Default method row.

    2. Enable the method allowing users to set up SSL VPN tunnels from their SSL VPN clients to the SNS firewall, e.g., LDAP or RADIUS.

    3. If a multifactor authentication method is used (authentication with a one-time password), set the One-time password selector to ON Image of selector set to "ON".

  5. Click on OK.

NOTE
During an authentication on the SNS firewall, rules in the authentication policy are scanned in order of their appearance in the list.