Associate Authentication Methods

In document F IREWALL/VPN REFERENCE GUIDE (Page 198-200)

Authentication Methods represent third-party external authentication servers and the Authentication Server component in user properties and IPv4 Access rules.

There is a predefined Authentication Method for IAS that is automatically used for authentication with Microsoft IAS and Active Directory. To use some other external

authentication server or the Authentication Server component, or to use an Active Directory server for RADIUS-based authentication, you must define Authentication Method elements.

Each Authentication Method element can be associated with one or more servers, but each RADIUS or TACACS+ Authentication Server can only be associated with one Authentication Method. When multiple servers are associated with the same Authentication Method, the servers are used as alternative servers if the first contacted server does not respond. All servers associated with the same Authentication Method must contain identical information on each authenticating user, since it is not possible for the user to determine which of the

alternative servers is being contacted.

Authentication Methods for the Authentication Server component are based on the four predefined types of authentication methods. You can add one Authentication Method of each type to the Authentication Server. The Authentication Methods for the Authentication Server cannot be used by external authentication servers.

Task 3: Define User Authentication in IPv4 Access Rules

The IPv4 Access rules in a firewall policy can be configured to match only when the user is authenticated. The authentication parameters are defined in the Authentication cell.

An authentication method is activated when at least one rule that contains the corresponding Authentication Method element is installed on the firewall. The authentication is usually granted for a specific duration based on source IP address. Alternatively, authentication can be granted only for the duration of a single connection with Telnet-based authentication.

No rules are needed to allow the authentication connection, except when browser-based user authentication is used. Any end-user with a valid user account for the active authentication methods is allowed to authenticate even if there are no rules that require authentication to access a particular service.

Once the user successfully authenticates, the firewall adds the user on a list of authenticated users. The next connection that the user opens can now match an Access rule that requires authentication if the user and authentication method match the parameters of the rule.

Note that the User, User Group, and Authentication Method elements are simply used as matching criteria, so any of the other rules above or below may also match the authenticated user’s connections. This is especially important to consider when VPN client connections are concerned, since the VPN client can be configured to receive an IP address from the

organization’s internal IP address space.

If necessary, you can define rules that discard connections from some combinations of Users and Authentication methods. The Source VPN cell in IPv4 Access rules can be used to match VPN traffic/non-VPN traffic as desired.

Task 4: Configure User Authentication Interfaces

End-users usually authenticate through a VPN client, which requests the user to authenticate as needed. See Overview to VPN Configuration (page 244) for more information about VPNs. When the VPN client is used, successful authentication opens a VPN tunnel.

End-users can alternatively open an authentication page in a web browser. The end-users can authenticate using encrypted HTTPS connections as well as plain HTTP connections. Browser-based user authentication is configured in the properties of the firewall. The IPv4 Access rules for allowing authentication connections are not included in the Default Template Policy. You must add a rule that allows this traffic in the firewall’s policy. Additionally, you must add IPv4 Access and Inspection rules to enable redirection of unauthenticated HTTP connections to the login page.

Caution – Plain HTTP connections are unsecured and transfer user access credentials in cleartext. Use encrypted HTTPS connections to avoid loss of sensitive information.

The end-users can also launch a separate Telnet authentication connection to the firewall. No special configuration is needed to use Telnet authentication.

Examples of External User Authentication

The examples in this section illustrate some common uses for User Authentication in StoneGate and general steps on how each scenario is configured.

Using StoneGate with a Microsoft Active Directory Server

This example provides an overview to the configuration. For more information on configuring IAS, consult Microsoft’s documentation at http://technet.microsoft.com/.

Company B has an existing Microsoft Active Directory server that stores user information. They decide to use this existing information for user authentication in StoneGate.

The administrators:

1. Define an Active Directory Server element.

2. Add the StoneGate-specific classes and attributes into the Active Directory server’s configuration to be able to fully manage the user accounts through the Management Client.

3. Define StoneGate as an LDAP client for the Active Directory server.

4. Define StoneGate as an authentication client for the IAS.

5. Add a new LDAP Domain element for the Active Directory server in StoneGate.

6. Add an IPv4 Access rule with authentication defined as shown below.

Using SecurID Authentication with StoneGate VPN Clients

This example provides an overview to the configuration. For more information on using SecurID authentication with StoneGate, consult RSA’s documentation at http://www.rsa.com/

rsasecured/product.aspx?id=1850.

Company C is about to introduce remote StoneGate IPsec VPN Client access to their network.

The administrators want to enhance the security of their authentication solution, as authentication is currently done using an external LDAP server and Telnet clients within the

Caution – The Telnet method transfers the username and password in cleartext and does not provide any security in addition to the initial authentication of an IP address or a connection. Use a VPN client when a higher security level is required.

Table 23.1 Example Access Rule for IAS Authentication

Source Destination Authentication

Some User or User Group elements from the AD’s LDAP Domain.

Require authentication with “IAS Authentication” Authentication Method.

In document F IREWALL/VPN REFERENCE GUIDE (Page 198-200)

Related documents