Configuring authentication

Go to Configuration > Users > Authentication.

Multifactor authentication and zero trust network access (ZTNA)

You can see which methods have been enabled in the Available methods tab.

Screenshot of Authentication methods on an SNS firewall in version 4

Multifactor authentication using the Stormshield TOTP solution

The TOTP method has to be enabled and configured in advance. For more information, refer to the technical note Configuring and using the Stormshield TOTP solution.

Multifactor authentication using a third-party solution and a RADIUS server

The third-party multifactor authentication solution connected to your RADIUS server has to be configured in advance. The RADIUS method that makes it possible to connect the SNS firewall to your RADIUS server also has to be enabled and configured in advance. For more information, refer to the section on Authentication in the user guide of the SNS version used.

The default idle timeout allowed to connect to a RADIUS server is 3000 milliseconds (3 seconds). When a Push mode multifactor authentication method is used, you need to change this timeout to give users enough time to authenticate. For a 30-second timeout, for example, use the following CLI/serverd commands:

CONFIG AUTH RADIUS timeout=30000 btimeout=30000
CONFIG AUTH ACTIVATE

Zero trust network access (ZTNA)

A method enabling the verification of user identities through multifactor authentication has to be configured in advance. For more information, refer to the above examples.

Configuring the authentication policy

In the Authentication policy tab, you will see the Method to use if no rules match. Proceed accordingly.

Screen showing the default authentication method on an SNS firewall in version 4

The firewall uses the default LDAP method and I use only this method

The current configuration will suffice. Continue to Configuring the captive portal.

In all other cases

In all other cases (authentication restricted to only what is necessary, use of multifactor authentication, etc.), you need to add at least two rules by clicking on New rule > Standard rule.

For greater security, you can set specific rules for different user groups. Do note that during authentication, rules will be scanned in the order of their appearance in the list.

For the first rule:

  1. In the User tab, User or group field: select the relevant user group. Any user@ applies to all users on the domain.

  2. In the Source tab, add the external interface through which users authenticate (e.g. out).

  3. in the Authentication methods tab, delete the Default method row and enable the method (LDAP, RADIUS, etc.) that makes it possible to connect to the firewall's captive portal and retrieve the VPN configuration. Set the selector to ON if the TOTP must be used.

For the second rule:

  1. In the User tab, User or group field: select the relevant user group. Any user@ applies to all users on the domain.

  2. In the Source tab, add the SSL VPN interface.

  3. In the Authentication methods tab, delete the Default method row and enable the method (LDAP, RADIUS) that makes it possible to set up SSL VPN tunnels, Set the selector to ON if the TOTP must be used.

Configuring the captive portal

The configuration of this portal can be found in the Captive portal tab.

Screenshot showing the configuration of the captive portal on an SNS firewall in version 4

Authentication profile and interface match

  1. In the Authentication profile and interface match grid, click on Add.

  2. In the Interface column, select the SSL VPN clients' source interface. If you are using a PPPoE or VLAN interface, select it instead of the physical parent interface.

  3. In the Default method or directory column, if the directory entered corresponds to the directory of the users connecting to the SSL VPN, these users will be able to connect simply by entering their login in the connection window. Otherwise, they will need to enter their login and the domain in question (login@domain.tld).

You can edit the configuration so that these users no longer need to specify the relevant domain in addition to their login:

  1. In the Captive Portal tab, select another profile (e.g. default05),
  2. In the Captive portal profiles tab, select this other profile, choose the right directory from the Default method or directory field, and then enable the captive portal in the Advanced properties section.

SSL server - Captive portal certificate (private key)

You can select the certificate presented by the captive portal in the Certificate (private key) field. The icon indicates certificates with a TPM-protected private key.

Screenshot showing the configuration of the captive portal on an SNS firewall in version 4

If any one of these criteria applies to the selected certificate, a window will appear during each user's initial connection, to indicate that the certificate is not trusted:

  • The certificate was not signed by a qualified certification authority,
  • The certification authority has not been deployed on users' workstations,
  • The certificate's CN does not match the firewall address that is used for connections to the SSL VPN.

Each user will then need to indicate that they trust the certificate order to log in. Although this message does not prevent users from proceeding, we recommend explaining to your users when they should or should not expect to see it. For example, this message will appear if you are using the self-signed certificate that was created when the SNS firewall was initialized, and which the firewall presents by default.