Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=FirewallAuthSetting

Services

Select the authentication servers for the firewall and other services such as VPN. You can configure global authentication settings, as well as settings for Kerberos and NTLM, web client, and RADIUS single sign-on. Web policy actions let you specify where to direct unauthenticated users.

Note

You can only select a maximum of 20 authentication servers for each authentication method.

Firewall authentication methods

Authentication server to use for firewall connections.

Authentication server list: Configured authentication servers.

Selected authentication server: Server to use for authentication. In order to authenticate users for this service, you must select at least one server. You can specify an external server or the local database, that is the users and groups you have configured on the firewall. When more than one server is selected, the authentication request is forwarded in the order indicated.

Default group: Group to use for authenticating users who are not defined in the firewall. Users who are not included in a local group will be assigned to the default group.

VPN authentication methods

Authentication server to use for VPN connections.

Set authentication methods same as firewall: Make all the authentication servers configured for firewall traffic available for VPN traffic authentication.

Authentication server list: Configured authentication servers.

Selected authentication server: Server to use for authentication. To authenticate users for this service, you must select at least one server. You can specify an external server or the local server, that is, the users and groups you have configured on the firewall. If you select more than one server, the authentication request is forwarded in the order indicated.

Make sure you use a supported authentication protocol for L2TP and PPTP connections based on the following list:

  • Local: PAP, CHAP, or MSCHAPv2
  • Active Directory: PAP
  • RADIUS: PAP, CHAP, or MSCHAPv2
  • LDAP: PAP
  • TACACS+: PAP or CHAP

Administrator authentication methods

Server to use for authenticating administrator users.

Note

Administrator authentication settings do not apply to the super administrator.

Set authentication methods same as firewall: Make all the authentication servers configured for firewall traffic available for administrator authentication.

Authentication server list: Configured authentication servers.

Selected authentication server: Server to use for authentication. In order to authenticate users for this service, you must select at least one server. You can specify an external server or the local database, that is the users and groups you have configured on the firewall. When more than one server is selected, the authentication request is forwarded in the order indicated.

SSL VPN authentication methods

Authentication server to use for SSL VPN connections.

Same as VPN: Use the same authentication method as configured for VPN traffic.

Same as firewall: Use the same authentication method as configured for firewall traffic.

Authentication server list: Configured authentication servers.

Selected authentication server: Server to use for authentication. In order to authenticate users for this service, you must select at least one server. You can specify an external server or the local database, that is the users and groups you have configured on the firewall. When more than one server is selected, the authentication request is forwarded in the order indicated.

Global settings

Maximum session timeout: Maximum session length for users who have successfully logged in to any service. Once the time has been exceeded, the user will be logged out.

The firewall checks authorization every three minutes. Possible causes for limiting the session length are access policies, surfing quota, data transfer limit, and the maximum session length.

Simultaneous logins: Maximum number of concurrent sessions allowed to users.

Note

This restriction applies only to users who are added after you set this value.

NTLM settings

Settings for Windows Challenge/Response to be used for Active Directory authentication.

Inactivity time: Inactive or idle time after which the user will be logged out.

Data transfer threshold: Minimum amount of data to be transferred within the inactivity time. If the minimum data is not transferred within the specified time, the user will be marked as inactive.

HTTP challenge redirect on intranet zone: When a site hosted on the internet initiates the NTLM web proxy challenge for authentication, redirect the NTLM authentication challenge to the Intranet zone. The client is transparently authenticated through the device’s local interface IP and credentials are exchanged only in the Intranet zone. User credentials remain protected. If this setting is turned off, the client is transparently authenticated by the browser through the device by sending user credentials over the internet.

Web client settings

Settings for iOS, Android, and API.

Inactivity time: Inactive or idle time after which the user will be logged out.

Data transfer threshold: Minimum amount of data to be transferred within the inactivity time. If the minimum data is not transferred within the specified time, the user will be marked as inactive.

SSO using RADIUS accounting request

Settings for RADIUS single sign-on. The firewall can authenticate users transparently who have already authenticated on a RADIUS server.

RADIUS client IPv4: IPv4 address of the RADIUS client. Only requests from the specified IP address will be considered for SSO.

Shared secret: Text string that serves as the password between the client and the server.

Chromebook SSO

Settings for Chromebook single sign-on. The firewall can authenticate users transparently who have already authenticated at a Chromebook. To set up Chromebook SSO authentication, follow the instructions in Configure Chromebook single sign-on.

Domain: The domain name as registered with Google Workspace.

Port: The port number Chromebooks connect to from the LAN or Wi-Fi.

Certificate: The certificate used for communication with the Chromebooks. It must meet the following requirements:

  • It must have a private key.
  • It must have an associated CA installed.
  • The certificate's common name (CN) must match the Chromebook users' zone or network, for example gateway.example.com.

Logging level: Select the amount of logging.

More resources