Configuring authentication

Go to Configuration > Users > Authentication.

Adding RADIUS as an authentication method (optional)

If you are using multifactor authentication for SSL VPN connections, RADIUS makes it possible to connect the SNS firewall to your RADIUS server (configured beforehand), which itself is connected to your multifactor authentication solution (configured beforehand.

  1. Go to the Available methods tab.

  2. Click on Add a method or Enable a method, then click on RADIUS.

  3. Follow the instructions. For more information on which fields to enter, refer to the section on Authentication in the v4 or v3 user guide of the SNS version used.

  4. If you are using multifactor authentication in Push mode, you must change the RADIUS timeout to give users enough time to authenticate. For a 30-second timeout, for example, use the following CLI/serverd commands:

    CONFIG AUTH RADIUS timeout=30000
    CONFIG AUTH RADIUS btimeout=30000
    CONFIG AUTH ACTIVATE

Configuring the authentication policy

  1. Go to the Authentication policy tab.

  2. In the Default method area, Method to use if no rules match field, identify the method specified. Proceed accordingly.

The firewall uses the default LDAP method and I use only this method

The current configuration will suffice. Continue to Configuring the captive portal.

In all other cases

In all other cases (restricted only to authentication, the use of multifactor authentication, TOTP, etc.), you must add two rules. You can also set rules for specific user groups to strengthen security. Do note that during authentication, rules will be scanned in the order of their appearance in the list.

Add the first rule:

  1. Click on New rule > Standard rule.

  2. In the User tab, User or group field: select the relevant user group. Any user@ applies to all users on the domain.

  3. In the Source tab, click on Add an interface and select the external interface through which users authenticate (e.g. out).

  4. In the Authentication methods tab in the grid, select the Default method row and click on Delete.

  5. Click on Authorize a method and select the method (LDAP, RADIUS, etc.) that makes it possible to connect to the firewall's captive portal and retrieve the VPN configuration.

Add the second rule:

  1. Click on New rule > Standard rule.

  2. In the User tab, User or group field: select the relevant user group. Any user@ applies to all users on the domain.

  3. In the Source tab, click on Add an interface and select SSL VPN.

  4. In the Authentication methods tab in the grid, select the Default method row and click on Delete.

  5. Click on Authorize a method and select the method (LDAP, RADIUS, etc.) that makes it possible to set up SSL VPN tunnels.

Configuring the captive portal

  1. Go to the Captive portal tab of the Authentication profile and interface match grid, and click on Add.

  2. In the Interface column, select the SSL VPN clients' source interface. If you are using a PPPoE or VLAN interface, select it instead of the physical parent interface.

  3. In the Default method or directory column, check the directory entered: If it is the right directory, the profile selected be correctly pre-configured. Continue to Assigning access privileges to the SSL VPN.

    If it is not the right directory, select another profile, such as default05, and go to the Captive portal profiles tab. Select this other profile, choose the right directory from the Default method or directory field and enable the captive portal in the Advanced properties section.