Configuring authentication

Although some of the items mentioned in Requirements have already been configured, take some time to double-check them.

Go to Configuration > Users > Authentication.

Multifactor authentication and zero trust network access (ZTNA)

When both multifactor authentication and zero trust network access are used, you must configure in advance the method that enables the use of the chosen multifactor authentication method. You can check settings in the Available methods tab.

Screenshot of Authentication methods on an SNS firewall in version 4

Multifactor authentication using the Stormshield TOTP solution

The TOTP method has to be configured in advance. For more information, refer to the technical note Configuring and using the Stormshield TOTP solution.

Multifactor authentication using a third-party solution and a RADIUS server

The following have to be configured in advance:

  • The third-party multifactor authentication solution connected to your RADIUS server.
  • The RADIUS method that makes it possible to connect the SNS firewall to your RADIUS server. For more information on the configuration of the RADIUS method, refer to the section on Authentication in the user guide of the SNS version used.

The default idle timeout allowed to connect to a RADIUS server is 3000 milliseconds (3 seconds). When a Push mode multifactor authentication method is used, you need to change this timeout to give users enough time to authenticate. For a 30-second timeout, for example, use the following CLI/serverd commands:

CONFIG AUTH RADIUS timeout=30000 btimeout=30000
CONFIG AUTH ACTIVATE

Zero trust network access (ZTNA)

As the implementation of zero trust network access requires user verification through multifactor authentication, you have to configure the TOTP or RADIUS method in advance. For more information, refer to the above examples.

Configuring the authentication policy

In the Authentication policy tab, you will see the Method to use if no rules match field. Proceed accordingly.

Screen showing the default authentication method on an SNS firewall in version 4

The firewall uses the default LDAP method and I use only this method

The current configuration will suffice. Continue to Configuring the captive portal.

In all other cases

In all other cases (authentication restricted to only what is necessary, use of multifactor authentication, etc.), you need to add at least two rules by clicking on New rule > Standard rule.

For greater security, you can set specific rules for different user groups. Do note that during authentication, rules will be scanned in the order of their appearance in the list.

For the first rule:

  1. In the User tab, User or group field: select the relevant user group. Any user@ applies to all users on the domain,

  2. In the Source tab, add the external interface through which users authenticate (e.g. out).

  3. In the Authentication methods tab:

    • Delete the Default method row and enable the method (LDAP, RADIUS, etc.) that makes it possible to connect to the firewall's captive portal and retrieve the VPN configuration,

    • When the Stormshield TOTP solution is used, set the use of a one-time password to "On".

For the second rule:

  1. In the User tab, User or group field: select the relevant user group. Any user@ applies to all users on the domain,

  2. In the Source tab, add the SSL VPN interface.

  3. In the Authentication methods tab:

    • Delete the Default method row and enable the method (LDAP, RADIUS, etc.) that makes it possible to set up SSL VPN tunnels,

    • When the Stormshield TOTP solution is used, set the use of a one-time password to "On".

Configuring the captive portal

Authentication profile and interface match

  1. In the Captive portal tab, Authentication profile and interface match grid, click on Add.

  2. In the Interface column, select the SSL VPN clients' source interface. If you are using a PPPoE or VLAN interface, select it instead of the physical parent interface.

  3. In the Default method or directory column, check the directory entered:

    • If it matches the directory used by users who connect to the SSL VPN, this means that the profile was correctly pre-configured. In the SSL VPN client connection window, users can simply indicate their IDs to log in,

      Screenshot showing the configuration of the captive portal on an SNS firewall in version 4

    • Otherwise: users will need to enter the relevant domain in addition to their logins (e.g., login@domain.tld). To change this setting:
      • Select another profile (e.g., default05),
      • Go to the Captive portal profiles tab and select the other profile,
      • Select the right directory in the Default method or directory field,
      • Enable the captive portal in the Advanced properties section.

SSL server - Captive portal certificate (private key)

You can select the certificate presented by the SNS firewall's captive portal in the relevant field.

Screenshot showing the configuration of the captive portal on an SNS firewall in version 4

If one of the following criteria applies to the selected certificate:

  • The certificate was not signed by a qualified certification authority,
  • The certification authority has not been deployed on users' workstations,
  • The certificate's CN does not match the firewall address that will be used for connections to the SSL VPN.

During the initial connection to the SSL VPN, affected users will then see a window appear, indicating that the certificate is not trusted. They will then need to indicate that the certificate is trusted in order to log in. Although this message does not prevent users from proceeding, we recommend explaining to your users when they should or should not expect to see it.

For example, if you are using the self-signed certificate that was created when the SNS firewall was initialized, and which the firewall presents by default, this message will appear.