Device Configuration : Configure : Authentication : Services
Services
This menu allows you to configure Authentication for Firewall, VPN and Admin traffic. You can also configure Global Settings, NTLM Settings, Web Client Settings, Captive Portal parameters and Radius Client settings for Single Sign-On Server.
* You can also view and manage the authentication status on the Device Configuration > Monitor and Analyze > Diagnostics > Services page.
Once you have deployed the device, default access policy is automatically applied which will allow complete network traffic to pass through the device. This will allow you to monitor user activity in your Network based on default policy.
As device monitors and logs user activity based on IP Address, all the reports are also generated based on IP Address. To monitor and log user activities based on usernames or logon names, you have to configure the device for integrating user information and authentication process. Integration will identify access request based on usernames and generate reports based on usernames.
When the user attempts to access, the device requests a user name and password and authenticates the user’s credentials before giving access. User level authentication can be performed using the local user database on the device, External ADS server, LDAP, RADIUS or TACACS+ server.
To set up user database
1. Integrate ADS, LDAP, RADIUS or TACACS+ if external authentication is required.
2. Configure for local authentication.
3. Register user
The device provides policy-based filtering that allows defining individual filtering plans for various users of your organization. You can assign individual policies to users, or a single policy to a number of users (Group).
Device detects users as they log on to a Windows domain in your network via client machines. Users are allowed or denied access based on username and password. In order to authenticate a user, you must select at least one database against which device should authenticate users.
To filter the Internet requests based on policies assigned, the device must be able to identify a user making a request.
The administrator can configure authentication based on the type of – Administrator, Firewall, VPN, and SSL VPN with multiple servers.
Below are the screen elements with their description:
Firewall Authentication Methods
Authentication Server List
Select Authentication server.
Authentication Server List displays all the configured servers while Selected Authentication Server List displays servers that will be used for authentication when the user tries to login.
In case of multiple servers, authentication request is forwarded as per the order configured in the Selected Authentication Server List.
Default Group
Select the default group for firewall authentication.
VPN (IPSec/L2TP/PPTP) Authentication Methods
Set Authentication Methods Same As Firewall
Enable to use the same authentication method as configured for firewall traffic. If enabled all the authentication servers configured for the firewall traffic will be available for VPN traffic authentication configuration.
Authentication Server List displays all the configured servers while Selected Authentication Server List displays servers that will be used for authentication when user tries to login.
Override authentication method for VPN traffic by selecting or deselecting any Authentication server.
In case of multiple servers, authentication request will be forwarded as per the order configured in the Selected Authentication server List.
If RADIUS server authenticates users then PPTP and L2TP connections established using MSCHAPv2 or CHAP protocol can be authenticated through RADIUS.
Administrator Authentication Methods
Administrator can configure and manage authentication settings for all the Administrator Users except for the super administrator from this page.
Set Authentication Methods Same As Firewall
Select to use the same authentication method as configured for firewall traffic. If enabled all the authentication servers configured for the firewall traffic will be available for administrator traffic authentication configuration.
Authentication Server List displays all the configured servers while Selected Authentication Server list displays servers that will be used for authentication when user tries to login.
Override authentication method for administrator traffic by selecting or deselecting any Authentication server.
In case of multiple servers, authentication request will be forwarded as per the order configured in the Selected Authentication server List.
Global Settings
Maximum Session Timeout
Specify the timeout duration in minutes.
Acceptable Range (minutes) - 3 to 1440
Authentication Session timeout is the time in minutes a user is logged into the device. Exceeding the period, the user will be logged out automatically and the user must re-authenticate. This is applicable to administrative sessions only.
Enable “Unlimited” to allow the users to remain logged in.
Simultaneous Logins
Specify the maximum number of concurrent logins allowed to the user.
Acceptable Range – 1 to 99 concurrent logins
OR
Enable “Unlimited” to allow unlimited concurrent logins to the user.
Login restriction is applicable to only those users who are added after this configuration.
NTLM Settings
Inactivity Time
Specify the inactivity time in minutes.
User Inactivity timeout is the inactive/idle time in minutes after which user will be logged out and has to re-authenticate.
Acceptable Range (Minutes) - 6 to 1440
Default – 6
Data Transfer Threshold
Specify the minimum data to be transferred.
If the minimum data is not transferred within the specified time, the user will be marked as inactive.
Default – 1024 Bytes
HTTP challenge redirect on Intranet Zone
Select to Enable or Disable the redirection of NTLM HTTP challenge on Intranet Zone.
When any site hosted on the Internet initiates the NTLM web proxy challenge for authentication, the client is transparently authenticated by the browser through device by sending credentials over the Internet.
To secure and to prevent the user credential from going out on the Internet, device will redirect NTLM authentication challenge on Intranet Zone. Client will be transparently authenticated through device's Local Interface IP and credentials will be exchanged in Intranet zone only.
Default - Enable
Web Client Settings (iOS and Android and API)
Inactivity Time
Specify the inactivity time in minutes.
User Inactivity timeout is the inactive/idle time in minutes after which user will be logged out and has to re-authenticate.
Acceptable Range (Minutes) - 6 to 1440
Default – 6 minutes
Data Transfer Threshold
Specify the minimum data to be transferred.
If the minimum data is not transferred within the specified time, the user will be marked as inactive.
Default – 1024 Bytes
SSO using radius accounting request
Device can authenticate users transparently who have already authenticated on an external RADIUS server. Click to add, to delete or Edit hyperlink to edit Radius Client configurations.
Radius Client IPv4
Specify IPv4 Address of Radius Client.
Only request from specified IP Address will be considered for SSO.
Shared Secret
Provide Shared Secret for authentication.
Show Shared Secret
Click Show to view the configured Shared Secret.
Captive Portal Settings
Unauthenticated users redirection
Select "Yes" to redirect the access request of unauthenticated user either to the Captive Portal or Custom Message page.
Select "No" to display "Access Denied" message to unauthorized user.
Unauthenticated users settings
Configure where the unauthenticated user access requests should be redirected.
Available Options:
Captive Portal
Custom Message
Select Captive Portal, if an unauthenticated user access request is to be forwarded to captive portal.
HTTPS Redirection
Enable to provide access of the Captive portal page through secure channel.
User Portal Link
Enable/Disable to make the “User Portal” link available on the Captive Portal page.
Default – Enable
URL Redirection after Login
Enable to redirect request to the user requested page or custom page.
URL to redirect
If request is to be redirected to the custom page, click Custom URL and specify URL, else click User requested URL.
Preserve captive portal after login
Select “Yes” to minimize the captive portal popup, once the user is successfully authenticated.
Selecting “No” lets the Captive Portal to be displayed on system screen after successful authentication.
Keep Alive Request For Captive Portal
Keep-Alive request is constantly exchanged between the device and user to check whether user has logged out or idle. If the device does not receive the response, user is logged out automatically.
More number of concurrent HTTP Captive Portal users, more number of keep-alive requests. In case of more concurrent HTTP Captive Portal users we recommend to disable it.
Default – Enable
If disabled, user is logged out after the configured inactivity time. If disabled, specify user inactivity time and data transfer threshold.
User Inactivity Timeout
User Inactivity timeout is the inactive/idle time in minutes after which user will be logged out and has to re-authenticate.
Enable and specify timeout duration in minutes.
Acceptable Range (minutes) - 3 to 1440
Default - Disable
Data Transfer Threshold
Specify threshold value in Bytes for Data Transfer.
If the minimum data is not transferred within the specified time, the user will be marked as inactive.
Select Custom Message, if unauthenticated user is to be displayed custom message.
Windows Corporate Client Download Link
Enable to publish a link to download the Windows Corporate Client in the custom message.
Linux Corporate Client Download Link
Enable to publish a link to download the Linux Corporate Client in the custom message.
MAC Corporate Client Download Link
Enable to publish a link to download the MAC Corporate Client in the custom message.
Page Header Image
Display the default image shipped with the device at the top of the custom message page or use Browse and upload the custom image.
Supported Image format - JPG, PNG or GIF
Size - 700 X 80 pixels
Page Footer Image
Display the default image shipped with the device at the bottom of the custom message page or use Browse and upload the custom image.
Supported Image format - JPG, PNG or GIF
Size - 700 X 80 pixels
Custom Message
Specify message. You can customize the message to include client IP Address, category, and URL.
Blink Custom Message
Enable Blink Custom Message to display blinking message.
Preview
Preview and check how message will be displayed before saving the configuration.
SSL VPN Authentication Methods
Enable to use the same authentication method as configured for VPN or Firewall or configure authentication server for SSL VPN.
Authentication Server List displays all the configured servers while Selected Authentication server list displays servers that will be used for authentication when user tries to login.
Override authentication method for SSL VPN traffic by selecting or deselecting any Authentication server.
In case of multiple servers, authentication request will be forwarded as per the order configured in the Selected Authentication server List.