User Manual Part 1
Table Of Contents
- Check Point Safe@Office User Guide 8.0
- Copyright & Trademarks
- Contents
- About This Guide
- Introduction
- About Your Check Point Safe@Office Appliance
- Safe@Office 500 Product Family
- Product Features
- Wireless Features
- Optional Security Services
- Software Requirements
- Getting to Know Your Safe@Office 500 Appliance
- Getting to Know Your Safe@Office 500W Appliance
- Getting to Know Your Safe@Office 500 ADSL Appliance
- Getting to Know Your Safe@Office 500W ADSL Appliance
- Contacting Technical Support
- Safe@Office Security
- Installing and Setting Up Safe@Office
- Getting Started
- Configuring the Internet Connection
- Managing Your Network
- Using Bridges
- Configuring High Availability
- Using Traffic Shaper
- Working with Wireless Networks
- Viewing Reports
- Viewing Logs
- Setting Your Security Policy
Using Port-Based Security
374 Check Point Safe@Office User Guide
The rule is deleted.
Using Port-Based Security
The Safe@Office appliance supports the IEEE 802.1x standard for secure authentication of
users and devices that are directly attached to Safe@Office appliance's LAN and DMZ
ports, as well as the wireless LAN. Authentication can be performed either by an external
RADIUS server, or by the Safe@Office appliance's built-in EAP authenticator. For
information on the Safe@Office EAP authenticator, see Using the Safe@Office EAP
Authenticator on page 394.
When an 802.1x securit
y
scheme is implemented for a port, users attempting to connect to
that port are required to authenticate using their network user name and password. The
Safe@Office appliance sends the user's credentials to the configured authentication server,
and if authentication succeeds, a connection is established. If the user fails to authenticate,
the port is physically isolated from other ports on the gateway.
If desired, you can specify how users should be handled after successful or failed
authentication. Users who authenticate successfully on a specific port are assigned to the
network with which that port is associated. For example, if the port is assigned to the DMZ
network, all users who authenticate successfully on that port are assigned to the DMZ
network.
When using a RADIUS server for authentication, you can assign authenticated users to
specific network segments, by configuring dynamic VLAN assignment on the RADIUS
server. Upon successful authentication, the RADIUS server sends RADIUS option 81
[Tunnel-Private-Group-ID] to the Safe@Office appliance, indicating to which network
segment the user should be assigned. For example, if a member of the Accounting team
connects to a network port and attempts to log in, the Safe@Office appliance relays the
information to the RADIUS server, which replies with RADIUS option 81 and the value
“Accounting”. The appliance then assigns the user’s port to the Accounting network,
granting the user access to all the resources of the Accounting team.
The Safe@Office appliance also enables you to automatically assign users to a
“Quarantine” network when authentication fails. All Quarantine network security and
network rules will apply to those users. For example, you can create security rules
allowing users on the Quarantine network to access the Internet and blocking them from