The firewall intercepts unknown HTTP or
HTTPS sessions and redirects them to a Layer 3 interface on the
firewall using an HTTP 302 redirect to perform authentication. This
is the preferred mode because it provides a better end-user experience
(no certificate errors). However, it does require additional Layer
3 configuration. Another benefit of the Redirect mode is that it
provides for the use of session cookies, which enable the user to
continue browsing to authenticated sites without requiring re-mapping
each time the timeouts expire. This is especially useful for users
who roam from one IP address to another (for example, from the corporate
LAN to the wireless network) because they won’t need to re-authenticate when
the IP address changes as long as the session stays open. If
you use Kerberos SSO or NTLM authentication, you must use Redirect
mode because the browser will provide credentials only to trusted
sites. Redirect mode is also required if you use Multi-Factor Authentication to
authenticate Captive Portal users. |