Configure Authentication Policy
Perform the following steps to configure Authentication policy for end users who access services through Captive Portal. Before starting, ensure that your Security Policy allows users to access the services and URL categories that require authentication.
- Configure the firewall to use one of the following services to authenticate users.
- External Authentication Services—Configure a server profile to define how the firewall connects to the service.
- Local database authentication—Add each user account to the local user database on the firewall.
- Kerberos single sign-on (SSO)—Create a Kerberos keytab for the firewall. Optionally, you can configure the firewall to use Kerberos SSO as the primary authentication service and, if SSO failures occur, fall back to an external service or local database authentication.
- Configure an Authentication Profile and Sequence for each set of users and Authentication policy rules that require the same authentication services and settings.Select theTypeof authentication service and related settings:
- External service—Select theTypeof external server and select theServer Profileyou created for it.
- Local database authentication—Set theTypetoLocal Database. In theAdvancedsettings,Addthe Captive Portal users and user groups you created.
- Kerberos SSO—Specify theKerberos RealmandImporttheKerberos Keytab.
- Configure an authentication enforcement object.The object associates each authentication profile with a Captive Portal method. The method determines whether the first authentication challenge (factor) is transparent or requires a user response.
- SelectandObjectsAuthenticationAddan object.
- Enter aNameto identify the object.
- Select anAuthentication Methodfor the authentication serviceTypeyou specified in the authentication profile:
- browser-challenge—Select this method if you want the client browser to respond to the first authentication factor instead of having the user enter login credentials. For this method, you must configure Kerberos SSO in the authentication profile. If the browser challenge fails, the firewall falls back to theweb-formmethod.
- web-form—Select this method if you want the firewall to display a Captive Portal web form for users to enter login credentials.
- Select theAuthentication Profileyou configured.
- Enter theMessagethat the Captive Portal web form will display to tell users how to authenticate for the first authentication factor.
- ClickOKto save the object.
- Configure an Authentication policy rule.Create a rule for each set of users, services, and URL categories that require the same authentication services and settings.The firewall does not apply the Captive Portal timeout if your authentication policy uses default authentication enforcement objects (for example,default-browser-challenge).To require users to re-authenticate after the Captive Portal timeout, clone the rule for the default authentication object and move it before the existing rule for the default authentication object.
- SelectandPoliciesAuthenticationAdda rule.
- Enter aNameto identify the rule.
- SelectSourceandAddspecific zones and IP addresses or selectAnyzones or IP addresses.
- SelectUserand select orAddthe source users and user groups to which the rule applies (default isany).
- Select orAddthe Host Information Profiles to which the rule applies (default isany).
- SelectDestinationandAddspecific zones and IP addresses or selectanyzones or IP addresses.The IP addresses can be resources (such as servers) for which you want to control access.
- SelectService/URL Categoryand select orAddthe services and service groups for which the rule controls access (default isservice-http).
- Select orAddthe URL Categories for which the rule controls access (default isany). For example, you can create a custom URL category that specifies your most sensitive internal sites.
- SelectActionsand select theAuthentication Enforcementobject you created.
- Specify theTimeoutperiod in minutes (default 60) during which the firewall prompts the user to authenticate only once for repeated access to services and applications.Timeoutis a tradeoff between tighter security (less time between authentication prompts) and the user experience (more time between authentication prompts). More frequent authentication is often the right choice for access to critical systems and sensitive areas such as a data center. Less frequent authentication is often the right choice at the network perimeter and for businesses for which the user experience is key.
- ClickOKto save the rule.
- (MFA only) Customize the MFA login page.The firewall displays this page so that users can authenticate for any additional MFA factors.
- Verify that the firewall enforces Authentication policy.
- Log in to your network as one of the source users specified in an Authentication policy rule.
- Request a service or URL category that matches one specified in the rule.The firewall displays the Captive Portal web form for the first authentication factor. For example:If you configured the firewall to use one or more MFA services, authenticate for the additional authentication factors.
- End the session for the service or URL you just accessed.
- Start a new session for the same service or application. Be sure to perform this step within theTimeoutperiod you configured in the Authentication rule.The firewall allows access without re-authenticating.
- Wait until theTimeoutperiod expires and request the same service or application.The firewall prompts you to re-authenticate.
- (Optional) Redistribute Data and Authentication Timestamps to other firewalls that enforce Authentication policy to ensure they all apply the timeouts consistently for all users.
Recommended For You
Recommended videos not found.