Manualshelf

User guide

ManualsBrandsWatchguard ManualsComputer equipmentFirebox X4500
191192193194195196197198199200
User Guide 181
User and Group Management
About user authentication
User authentication is the process of finding whether a user is who he or she is declared to be. On the Firebox,
the use of passwords allows a user name to be associated with an IP address. This helps the Firebox
administrator to monitor connections through the Firebox. With authentication, users can log in to the
network from any computer, but get access to only the network ports and protocols for which they are
authorized. All the connections that start from that IP address also transmit the session name while the user is
authenticated.
You can configure the Edge as a local authentication server, or use your existing Active Directory or LDAP
authentication server, or an existing RADIUS authentication server. When you use third-party authentication,
account privileges for users that authenticate to the third-party authentication servers are based on group
membership.
The WatchGuard user authentication feature allows a user name to be associated with a specific IP address to
help you authenticate and track a user’s connections through the Firebox. With the Firebox, the fundamental
question that is asked and answered with each connection is Should I allow traffic from source X to go to
destination Y?" The WatchGuard authentication feature depends on the relationship between the person
using a computer and the IP address of that computer to not change during the period of time that the person
is authenticated to the Firebox.
In most environments, the relationship between an IP address and the person that uses it is stable enough to
be used to authenticate that person’s traffic. Environments in which the association between the person and
an IP address is not consistent, such as a kiosk or terminal server-centric networks, are usually not good
candidates for the successful use of our user authentication feature. WatchGuard currently supports
Authentication, Accounting, and Access control (AAA) in the firewall products, based on a stable association
between IP address and person.
The WatchGuard user authentication feature also supports authentication to an Active Directory domain via
Single Sign-On and support other frequently used authentication servers. In addition, it supports inactivity
settings and session time limits. These controls restrict the amount of time an IP address is allowed to pass
traffic through the Firebox before the users must supply their passwords again.
If you control SSO access with a white list, manage inactivity timeouts, session timeouts, and who is allowed
to authenticate, you can significantly improve your control of authentication, accounting, and access control.
How users authenticate
An HTTPS server operates on the Firebox to accept authentication requests. The users then must connect to
the authentication web page on the Firebox using the procedure described in Require users to authenticate
to the Edge. When you set up user authentication for all users, you can choose to automatically present users
with a login dialog when they attempt to access the Internet.