User authentication configuration overview

Authentication methods define the authentication method used by particular users and user groups.

Figure: Elements in the configuration



1
User
2
Authentication Method
3
Active Directory Server, LDAP Server, RADIUS Authentication Server, or TACACS+ Authentication Server
4
Firewall Policy
5
User Group

External RADIUS or TACACS+ authentication servers are configured as RADIUS Authentication Server or TACACS+ Authentication Server elements. RADIUS or TACACS+ authentication servers can be located in any network that allows them to communicate with the firewall that has an authentication rule in its policy. Authentication Method elements are associated with authentication servers to define the allowed authentication methods for the server, or the servers that use a particular authentication method.

Authentication Method elements define the allowed authentication methods for IPv4 and IPv6 Access rules, and for the Users and User Groups. Both User and User Group elements can be used in IPv4 and IPv6 Access rules to define rules that only match connections from specific, successfully authenticated users. A specific Authentication Method definition is needed in each rule especially when the Users and User Groups have several allowed Authentication Methods. Otherwise, the rules can allow any defined Authentication Method that is allowed for the included users.

Follow these general steps to configure user authentication:

  1. (Optional) Create server elements and Authentication Method elements for external authentication services.
  2. Add an authentication requirement to the relevant IPv4 or IPv6 Access rules.
  3. (Forcepoint VPN Client authentication) Install the Forcepoint VPN Client software on the end users’ computers. See the Forcepoint VPN Client documentation for more information.
  4. (Browser-based Authentication) Configure the authentication prompt:
    • Enable end users to authenticate and re-authenticate using a browser-based authentication prompt.
    • Customize the authentication prompt.