User Guide
OmniAccess SafeGuard OS Administration Guide
204
Chapter 6: Configuring Authentication and Role Derivation
Figure 5 Authentication Component Process
Planning for Your Authentication and Policy Deployment
Authentication and policy are tightly interwoven. When planning to implement a new
security system, it is important to understand how policy is dependent on authentication.
Role definition and policy definition are part of the policy component, but role derivation
is part of the authentication component.
Before defining rule maps for deriving a role, outline the following aspects required for
authentication and policy deployment:
1 Configure backend servers. See Configuring RADIUS Servers on page 252 and
Configuring Active Directory Servers on page 255.
2 Logically define users by role definitions. See User Policies on page 305 for more
details on roles and role hierarchy.
It is not necessary to configure the roles before configuring rule maps, but they
must be complete before attempting to bring up a full system.
3 Determine the policies that apply to each role. See Defining and Applying User
Policies on page 314.
4 Determine the resources available for each role. Access control not only means
access to the network, it is also access to the resources on a network.
SafeGuard OS supports policy enforcement at the Application Layer, which
allows you to set resources by role. For more information about controlling
resources through policies, see Layer 7 Policies on page 307.
5 Determine how users will be distinguished based upon attributes.
This step is important for specifying rule maps. As mentioned in Authentication
Concepts on page 202, there is information in the authentication event that can be
unique to a user. Often these protocol and system elements are sufficient enough
to categorize the user to a role. Some of the attributes supported are:
CST_060
Authentication
component
Events
Role
Updates
Mapping table
User table
Attribute table
Creates
Processes rule maps
to derive a role
Policy
component