The following are key questions to consider before you
implement an authentication solution for administrators who access
the firewall and end users who access services and applications
through Captive Portal.
For both end users and administrators, consider:
How can you leverage your existing
security infrastructure? Usually, integrating the firewall with
an existing infrastructure is faster and cheaper than setting up
a new, separate solution just for firewall services. The firewall
can integrate with Multi-Factor
Authentication, SAML, Kerberos, TACACS+, RADIUS,
and LDAP servers.
If your users access services and applications that are external
to your network, you can use SAML to integrate the firewall with
an identity provider (IdP) that controls access to both external
and internal services and applications.
How can you optimize the user experience? If you don’t want
users to authenticate manually and you have a public key infrastructure,
you can implement certificate authentication. Another option is
to implement Kerberos or SAML single
sign-on (SSO) so that users can access multiple services and applications
after logging in to just one. If your network requires additional
security, you can combine certificate authentication with interactive
Do you require special user accounts that you don’t manage
through the directory servers that your organization reserves for
regular accounts? For example, you might define a superuser account
that is local to the firewall so that you can access the firewall
even if the directory server is down. You can configure Local
Authentication for these special-purpose accounts.
Authentication Services are usually preferable to local authentication
because they provide central account management, reliable authentication
services, and usually logging and troubleshooting features.
For end users only, consider:
Which services and applications
are more sensitive than others? For example, you might want stronger
authentication for key financial documents than for search engines.
To protect your most sensitive services and applications, you can
Authentication (MFA) to ensure that each user authenticates
using multiple methods (factors) when accessing those services and
applications. To accommodate a variety of security needs, Configure
Authentication Policy rules that trigger MFA or single factor
authentication (such as login credentials or certificates) based
on specific services, applications, and end users. Other ways to
reduce your attack surface include network segmentation and user groups for allowed applications.
For administrators only, consider:
Do you use an external server
to centrally manage authorization for all administrative accounts?
By defining Vendor-Specific Attributes (VSAs) on the external server,
you can quickly change administrative role assignments through your
directory service instead of reconfiguring settings on the firewall. VSAs
also enable you to specify access domains for administrators of
firewalls with multiple virtual systems. SAML, TACACS+,
and RADIUS support