Getting started with user authentication

User authentication means requiring the users to prove their identity before giving access to a network resource.

Authentication requires a user database that stores the user information and an authentication method that inspects credentials and grants or denies access.

You can use the following kinds of authentication methods:

  • The firewall's internal authentication methods
  • Authentication methods provided by external RADIUS or TACACS+ authentication servers, such as NPS or RSA Authentication Manager (SecurID)
  • LDAP authentication for simple password authentication against the LDAP database on an external LDAP server or Active Directory server

Alternatively, if strong authentication is not required, you can allow specific users to access services in a trusted environment without requiring user authentication.

User authentication proceeds as follows:
  1. The user opens an authentication connection to the firewall.
  2. The firewall checks if the user exists and which authentication method the user can use.
  3. The user-supplied credentials are verified.
    • When you use the firewall's internal authentication methods, the firewall checks user credentials against its own replica of the user database.
    • When you use authentication methods provided by an external server, the external server verifies the user's credentials, then responds to the firewall whether authentication succeeds or fails.
  4. If authentication succeeds, the firewall lists the user as an authenticated user, taking note of both user name and authentication method.
  5. When the user opens new connections, IPv4 Access rules that contain an authentication requirement can now match. The user name and authentication method are both separately checked as matching criteria.
  6. When the configured timeout is reached, the authentication expires and the user is removed from the list of authenticated users. Access rules that require authentication no longer match the user’s connections.
With user authentication, you can:
  • Maintain separation of internal networks that have different security levels when the confidentiality of the information that is accessed does not need to be strictly enforced. For example, user authentication can provide an extra access control measure for applications that already exchange information securely.
  • Allow secure and confidential access from any location to any internal resources for Stonesoft VPN Client users.
  • Authenticate Administrator and Web Portal User logons.
The following limitations apply to user authentication:
  • User authentication is only supported on Firewalls. User authentication is not supported on layer 2 physical interfaces on Firewalls.
  • Only IPv4 addresses are supported in user authentication. All elements used in user authentication must have an IPv4 address.
    Note: RADIUS authentication servers that are used to authenticate administrators support IPv6 addresses.