Overview of external user authentication
External user authentication means that authentication services are provided by an authentication server outside of the SMC.
You can use the following kinds of external authentication services:
- Authentication services that support the RADIUS or TACACS+ protocol, such as RSA Authentication Manager or the NPS (Network Policy Server) of a Windows (Active Directory) server.
- LDAP authentication for simple password authentication against the LDAP database on the external directory server where user accounts are stored.
User authentication is only supported for IPv4 traffic.
Note: RADIUS authentication servers that are used to authenticate administrators support IPv6 addresses.
External user authentication proceeds as follows:
Figure: External user authentication process
- 1
- The user opens an authentication connection to the firewall.
- 2
- The firewall queries the directory server to check if the user exists and which authentication method the user should use.
- 3
- The firewall prompts the user to authenticate, then the user enters the credentials required for the authentication method.
- 4
- The firewall relays the user credentials to one of the following components depending on the authentication method:
- For RADIUS or TACACS+ authentication methods, the firewall relays the user credentials to the external authentication sever.
- For LDAP authentication, the firewall relays the user credentials to the directory server.
- 5
- Depending on the authentication method, one of the following components verifies the user credentials and responds to the
firewall whether authentication succeeds or fails:
- For RADIUS or TACACS+ authentication methods, the external authentication server verifies the user credentials.
- For LDAP authentication, the directory server verifies the user credentials.