Configuring Authentication

Select Configuration > System > Authentication > Default Settings to configure authentication or to bypass authentication and filter web traffic with IP-based policy rules instead.

Single Sign On, which is enabled by default, authenticates on the basis of Active Directory credentials. A second default option, Captive Portal, can be used to authenticate devices, client applications, and users, and to grant alternative access to guest users.

Important Features on the Default Settings tab are not available unless Active Directory is enabled. For more information, see “Configuring Active Directory Access.”
  1. Choose an authentication method.

    Select Bypass authentication (Web traffic is filtered according to IP-based policy rules.)


    Select Authenticate using (Depending on the options selected, authentication can be performed for both Active Directory users and guest users.)

    • Single Sign On: Users can authenticate with their stored Active Directory credentials. If the appliance is configured to allow access as a result of authentication failure (see step 2), users can still gain entry to the network as guests.
      • Perform SSO for Mac: When this option is selected, the appliance can perform single sign on for Mac OS X systems using Kerberos. In addition, you must first configure your Active Directory server to support Kerberos authentication. For instructions, see “Configuring Active Directory to Support Kerberos for Mac.”

        If this option is not turned on, Mac OS X computers are still prompted for login credentials, even though single sign on does not occur.

      • Authenticate all requests: Select this check box to authenticate all user and client application requests against Active Directory. This option only takes effect if the appliance is deployed in explicit mode.

        For more information about deployment modes, see “Network Deployment.”

        If this check box is cleared, the appliance authenticates requests from supported end user browsers against Active Directory and uses cached information to authenticate requests from client applications.

    • Captive Portal: Select this option to allow access through a special web page. When selected, users are automatically redirected to this page if single sign on fails or single sign on is turned off. If the appliance is configured to allow access as a result of authentication failure (see the next step), users can gain entry to the network through a guest link on the portal page.
      • Enforce a timeout: Specify the number of hours and minutes for which the users will remain authenticated. The default is 1 hour, after which the session times out. Users must then re-authenticate.
  2. Select an authentication failure result.

    On authentication failure

    • Block access: Do not permit unauthenticated access. If single sign on fails or it is turned off, a web browser pop-up is displayed, prompting for credentials.
    • Allow access: If single sign on fails, allow access using IP-based policy rules. If the Captive Portal feature is turned on, the login page contains a link to gain access as a guest user.
  3. Click Apply, or click the Profiles tab to create exceptions to these general authentication settings. For instructions on creating a profile, see “Configuring an Authentication Profile.”