Configuring authentication

Go to Configuration > Users > Authentication.

Connecting the SNS firewall to a directory

The SNS firewall must be connected to a directory so that the lists of users and user groups appear in the firewall's modules. To check whether it is connected, in the Available methods tab, see whether LDAP appears as the method in the grid.

  • If the LDAP method appears: this means that the SNS firewall is already connected to a directory. Continue to Adding RADIUS as an authentication method,

  • If the LDAP method does not appear: this means that the SNS firewall is not connected to a directory. Click on Add a method > LDAP and confirm your choice to create a directory and follow the instructions given. Refer to the SNS v4 user guide.

Adding RADIUS as an authentication method

For the SSL VPN, RADIUS makes it possible to connect the SNS firewall to a RADIUS server, which is in turn connected to a multifactor authentication solution. Continue depending on whether you use multifactor authentication.

  • If you are not using multifactor authentication: continue to Configuring the authentication policy.

  • If you are using multifactor authentication: click on Add a method > RADIUS and follow the instructions given. Refer to the SNS v4 user guide.
    If you are using multifactor authentication in Push mode, you must change the RADIUS timeout to give users enough time to authenticate. For a 30-second timeout, for example, use these CLI/serverd commands:

    CONFIG AUTH RADIUS timeout=30000
    CONFIG AUTH RADIUS btimeout=30000
    CONFIG AUTH ACTIVATE

Configuring the authentication policy

The configuration of the authentication policy depends on the default method that the SNS firewall uses and the method that will be used to authenticate SSL VPN connections.

Checking the default method used on the SNS firewall

  1. Go to the Authentication policy tab.

  2. In the Default method area, identify the method specified in the Method to use if no rules match field.

Configuring the authentication policy

Continue according to the use case that applies to you.

The firewall uses the default LDAP method and I use only this method

This is the simplest configuration possible: you only use the LDAP method without multifactor authentication or TOTP, etc. The current configuration of the SNS firewall will suffice. Continue to Configuring the captive portal.

In all other cases

Regardless of whether you restrict authentication to only what is necessary (Block by default), or use multifactor authentication or TOTPs, for example, you must add two rules to configure the authentication policy.

Add the first rule:

  1. Click on New rule > Standard rule.

  2. In the User tab, User or group field: select the relevant user group. Any user@ applies to all users on the domain.

  3. In the Source tab: click on Add an interface and select the external interface through which users authenticate (e.g. out).

  4. In the Authentication methods tab, in the grid:

    • Select the Default method row and click on Delete.

    • Click on Authorize a method and select the method to use for connections that allow the VPN configuration to be retrieved (see Specific characteristics of SN SSL VPN Client), and connections to the SNS firewall's captive portal (LDAP, RADIUS, etc.).

Add the second rule:

  1. Click on New rule > Standard rule.

  2. In the User tab, User or group field: select the relevant user group. Any user@ applies to all users on the domain.

  3. In the Source tab: click on Add an interface and select SSL VPN.

  4. In the Authentication methods tab, in the grid:

    • Select the Default method row and click on Delete.

    • Click on Authorize a method and select the method to use for connections that allow SSL VPN tunnels to be set up (LDAP, RADIUS, etc.).

NOTE
You can, however, set rules for different user groups to strengthen security. During authentication, rules will be scanned in the order of their appearance in the list.

Configuring the captive portal

In the Captive portal tab of the Authentication profile and interface match grid:

  1. Click on Add.

  2. In the Interface column: select SSL VPN.

  3. In the Default method or directory column: check that the directory is the right one:

    • If it is the right directory: the profile selected by default will be correctly pre-configured. Continue to Assigning access privileges to the SSL VPN,

    • If it is not the right directory: select another profile, such as default05, and go to the Captive portal profiles tab. Select the new profile, choose the right directory from the Default method or directory field and enable the captive portal in the Advanced properties section.