The Definitions & Users > Authentication Services > Global Settings tab lets you configure basic authentication options. The following options are available:
Create users automatically: When this option is selected, Sophos UTM will automatically create a user object whenever unknown users of a configured backend group successfully authenticate against one of the various authentication services supported by Sophos UTM. For example, if you configure a RADIUS backend group and you add this group as a member to one of the roles defined on the Management > WebAdmin Settings > Access Control tab, Sophos UTM will automatically create a user definition for RADIUS users who have successfully logged in to WebAdmin.
Note – To use the Sophos Transparent Authentication Suite, you need to enable the automatic user creation for STAS.
Automatic User Creation for Facilities: Automatic user creation can be enabled or disabled for specific services. Users are only created for enabled services. This option is not available—and automatic user creation is disabled for all facilities—when the Create users automatically option is not selected.
Note – This feature does not work for Active Directory Single Sign-On (SSO).
Important Note – Authentication (i.e., the action of determining who a user is) and authorization (i.e., the action of determining what a user is allowed to do) for users whose user object was created automatically are always done on the remote backend server/directory service. Therefore, automatically created user objects in Sophos UTM are useless if the corresponding backend server is not available or if the user object has been deleted on the remote site.
Every time Sophos UTM gets a user request, e.g., http, from a yet unknown user and authentication is required, the Sophos User Authentication (SUA) writes an entry to the authentication cache. Over time, in environments with frequently changing users it can be reasonable to empty the cache from time to time. Also, if you want to force an immediate new authentication for all users. Use the button Flush Authentication Cache to empty the authentication cache.
An authentication is valid for 300 seconds. During this time, other authentication requests by the same user are looked up directly in the cache. This technique takes load off backend authentication services like eDirectory.
Note – Flushing the cache does not affect users that are remotely logged on.
Open Live Log: Click the button to see the log of the Sophos User Authentication (SUA) in a new window.
© 2019 Sophos Limited | Sophos UTM 9.600 |