Manualshelf

User Guide

ManualsBrandsAlcatel-Lucent ManualsOtherOMNIACCESS SAFEGUARD CONTROLLER
201202203204205206207208209210
OmniAccess SafeGuard OS Administration Guide
203
Chapter 6: Configuring Authentication and Role Derivation
When providing active authentication, the system disables network access for client
stations until an authentication exchange takes place. When access is disabled, it prevents
users from accessing the network without the proper credentials.
During passive authentication, the SafeGuard OS sniffs the results of external
authentication devices and servers to obtain a user name that can then be used in traffic
visualization. Examples of passive authentication are:
Windows Active Directory (AD) login
RADIUS
Users in the LANSheild OS are kept in the user table. This table keeps information on
each user in the network including the user name, interfaces, and assigned roles. Entries,
including the credentials, are aged from the user table based on inactivity of the end
hosts. In addition, per-protocol timers can be configured to forcibly age out users after
some time.
Authentication Component Process
The authentication component begins by receiving login events using either the active or
passive authentication methods, and then updates the user tables with information
contained in the login event. After the tables are updated, the authentication component
assigns a role to the new user.
The information in the event can be matched against other sets of criteria or rules. The
rules can be matched against an AD store, RADIUS protocol, or known system
information. If the information in the event matches the rules, then a role can be assigned
based on the match. The matching of event information to rules is called role derivation.
The rules that we use to perform the match are called rule maps. Role derivation and rule
maps are described, in length in Role Derivation on page 276.
After the role is derived, it is sent to the policy component for group-specific access
control and policy enforcement. The flow through the authentication component to the
policy component is shown in Figure 5.
NOTE: No user configuration is required to passively authenticate a user on a
new SafeGuard device. By default, when the device is in monitor or protection
mode, passive authentication will work without any user configuration
required.