The authentication feature allows the user to identify himself using a login and password or through a seamless process (SSO / certificate). To do so, the feature may use an LDAP (Lightweight Directory Access Protocol) database storing user profiles as well as the associated x509 certificate.
Once the authentication is successful, the user’s login will be associated with the host from which he has logged on – this information will be stored in the ASQ’s user table – and with all IP packets that originate from it for the duration that the user or administrator has specified depending on the method used.
In order to be effective, the methods configured (1st tab) have to be made explicit in the authentication policy rules (2nd tab).
The Authentication module contains 4 tabs:
- Available methods: this tab offers you the choice of one or several authentication methods and their configuration on the firewall to allow the firewall to apply the security policy. The administrator may also require authentication for the purpose of entering the identity of the host’s user in the logs. In this section, you will be able to configure several methods as the authentication policy allows the use of several of these methods that will then be evaluated in order when authentication is processed.
- Authentication policy: this tab allows specifying the methods according to the source of the request and defining the order of the authentication methods to apply.
- Captive portal: Enables configuration of access to the captive portal from various interfaces, as well as the different information relating to it (SSL access, authentication, proxy). It also allows you to customize the display of the captive portal.
- Captive portal profiles: this tab makes it possible to manage several authentication profiles that the captive portal can use. For example, these profiles enable the selection of the type of account used (temporary accounts, users declared in the internal LDAP directory, etc) or allowed authentication durations.
The captive portal has to be enabled for all authentication methods, except for SSO.
For issues relating to Multi-user networks and authentication by transparent or explicit proxies, please refer to the section Transparent or explicit HTTP proxy and multi-user objects.