{{ secondMenu.name }}
If user authentication is enabled, all PCs in the authentication area will be authenticated before Internet access. Authentication Policy determines the authentication method of PCs on a given IP address/network segment/MAC address. In Authentication Policy, set the authentication method of LAN users and the policy of adding new users.
The administrator can delete, batch edit, enable and disable, import, move up/move down, filter, and select any authentication policy.
| Function |
Note |
| Add |
On the Authentication Policy page, click to add a new authentication policy. |
| Delete |
On the Authentication Policy page, click to delete an authentication policy. |
| Edit |
On the Authentication Policy page, select the authentication policy to be edited, and click the policy name. The Edit Authentication Policy dialog box is displayed. Modify the selected policy. Batch edit: Select multiple custom authentication policies to edit the applicable object instead of any other information. |
| Import |
Click to select and import an authentication policy file. |
| Move Up/Move Down |
As the policies are matched from top to bottom, you can select the corresponding policy, and click Move Up or Move Down to give priority to match the policies. |
Table 19:Authentication Policy Function
The authentication policies are matched one by one from top to bottom. You can re-prioritize them by using the move options. By configuring authentication policies, you can configure authentication methods depending on the network segments.
Authentication Method
A device can be authenticated in the following ways:
There are three authentication methods in the Authentication Policy: None/SSO, SSO/Local or external password authentication, and SSO only.
All three authentication methods include SSO. If SSO is selected in Authentication Options, the username on a PC will be preferably used to access the Internet after SSO authentication.
If SSO is selected in Authentication Options, the username on a PC will be preferably used to access the Internet after SSO authentication.
If SSO is not selected in Authentication Options, the device identifies the user based on the source IP address and source MAC address of the packet and the hostname. In this mode, no authentication box will pop up in the browser for the user to enter the username and password upon Internet access. Therefore, the user will not perceive the existence of the device.
Create a user requiring no authentication:
• Deselect Enable user authentication on the Authentication Policy page. When creating a user, bidirectionally binds the user to an IP/MAC address to form a one-to-one relationship so that IP/MAC-based authentication is possible. (Note that the IP/MAC address range set in Authentication Policy should include the bounded IP/MAC address.)
• Deselect Enable user authentication on the Authentication Policy page and take the IP address, MAC address, or hostname as the username. For authentication of LAN users, their usernames are matched based on the IP address, MAC address, or hostname.
When Enable user authentication is selected and this authentication method is used, the authentication procedure for network access is as follows if SSO authentication is not selected or fails:
a)The browser redirects the user to a page where the username and password must be entered before accessing the Internet. Assume that the username entered is "test" and the password is "password".
b)The system checks whether the user "test" is a local user. If the user exists and has a local password (that is, "Local Password" is selected in User Attributes), the system checks whether the user's local password is a "password". If yes, authentication succeeds; if no, the authentication fails.
c)If there is no local user "test", or the user exists but does not have a local password, the system checks on the external authentication server whether the username and password are correct. If they are correct, the authentication succeeds; otherwise, the authentication fails.
Local authentication is before external authentication.
If this option is selected, the address range specified in the policy must use SSO to pass authentication.
Step 1.Set the Authentication Method of the specified network segment to SSO only.
Step 2.On the Authentication Options page, enable SSO. For AD SSO, SSO should also be enabled on the domain server.
Step 3.Set Excluded Users to exclude non-SSO users. These users enter usernames and passwords manually to complete authentication.
New user settings:
New users are those newly added to the device. According to Authentication Policy > New User Options (except local users), the device determines whether to add them automatically after mapping their IP or MAC address with those in the Authentication Policy.
Users who pass the authentication can be automatically added. These users include users requiring no authentication and named with IP address, MAC address, or hostname, as well as SSO/external password-authenticated users.
Three options are available for the administrator to add the new users: Added to specified local group, Added as guest account (not added to any local group), and No authentication for new users.
Select Authentication Zone
Before setting an authentication policy, specify the zones for which authentication will be enabled.
Step 1.Select Enable user authentication.
Step 2.Select the Authentication Zone.
Click Save. The authentication zone is selected.
The authentication zone can be the area where the LAN interface is located. Zones are defined as LAN or WAN interface areas. For example, ETH2 is a WAN interface, while ETH1 is a non-WAN interface. Therefore, ETH2 is defined as in the WAN zone, while ETH1 is in the LAN zone.
6.6.3.1.1.1Configuration Case 1 of Adding Authentication Policy
Configure LDAP server-based third-party password authentication for PCs within 192.168.1.0/255.255.255.0 of the Engineering Department. New users are automatically added to the "/engineer" group and their usernames are bidirectionally bound to IP addresses. Hence, there is a one-to-one correspondence between IP addresses and usernames. Users in other LAN network segments require no authentication and take IP addresses as usernames. New users are automatically added to the "/Default group". (The external LDAP server is taken as an example here. The setting steps are similar for other types of external authentication servers.)
Step 1.Go to Policies > Authentication > User Authentication > Authentication Policy, and click Add. In the Add Authentication Policy dialog box, click Configure External Auth Server and set the LDAP authentication server.
Step 2.In the Add Authentication Policy dialog box, set the required parameters.
Name: Enter the name of the authentication policy (mandatory).
Description: Enter the description of the policy and supplementary information (optional).
IP/MAC Address: Enter an IP address, IP segment, or MAC address, which is the matching rule. If a user fails to pass the authentication when accessing the Internet via the device, the device will match the user to the corresponding Authentication Policy based on the IP or MAC address of the packets. In this example, set the value to 192.168.1.0/255.255.255.0.
Step 3.Set Authentication Method to specify how to authenticate users that meet the matching rule.
Three authentication methods are provided in Authentication Method: None/SSO, SSO/Local or external password authentication, and SSO only. (For descriptions of the three authentication methods, see the overview in this chapter.)
This example exemplifies third-party server password authentication. Therefore, SSO/Local or external password authentication is selected.
Step 4.Set New User Options (except local users) to configure settings for new users.
If Added to specified local group is selected, the user can be automatically added to the device's user list. In Select Group, select the user group for the new user, and the user will automatically be added to this group. In this example, users are added automatically through third-party authentication to the /engineer group. Therefore, "/Engineer" is selected.
If Does not apply to new users authenticated by external LDAP server (because they can be synchronized to a corresponding group automatically) is selected, the user will be synchronized according to the LDAP synchronization policy and added to the corresponding group if a user uses LDAP third-party authentication or SSO, the related LDAP synchronization policy has been set on the device. This will render the setting in Select Group in the previous step invalid.
Other user attributes include Concurrent Logins on Multiple Terminals and Bind IP/MAC.
Concurrent Logins on Multiple Terminals: You can select either Allow or Do not allow. This setting is valid for users requiring authentication only.
Bind IP/MAC: Two binding modes, unidirectional and bidirectional.
Unidirectional binding between a user and an address: The user can only use the specified address for authentication, but other users can also use this address for authentication.
Bidirectional binding between a user and an address: The user can only use a specified address for authentication, and this address can only be used by this user.
In this example, Bidirectional binding between a user and an address and Bind the IP address on initial login are selected.
If you check Added as guest account (not added to any local group), new users will not be added to the user list. Instead, they can only access the Internet with the permission of casual users. Select a group from the User Group. The casual users can then access the Internet with permission from the specified group.
If you check No authentication for new users, new users are not allowed to be added, and the users not on the user list are not allowed to access the Internet if the authentication fails. They only have the permission allowed for users failing authentication, which is set in User Authentication > Authentication Options > Others.
Step 5.Set the authentication policy of users in other network segments. Users in other LAN network segments require no authentication and take IP addresses as usernames. New users are automatically added to the "/Default group". Edit Default Policy in the Edit Authentication Policy dialog box. Authentication Method: Select Take IP address as username in None/SSO.
New User Options (except local users): Select Added to specified local group and "/Default group/".
Authentication policies are matched from top to bottom. The two authentication policies in this example are sorted as follows.
6.6.3.1.1.2Configuration Case 2 of Adding Authentication Policy
PCs with LAN IP addresses residing in 192.168.2.1-192.168.2.255 are automatically added to the "/Marketing Dept" group as new users requiring no authentication. The usernames are the hostnames and are bidirectionally bound to MAC addresses.
Step 1.In Policies > Authentication > User Authentication > Authentication Options > Obtain MAC By SNMP, set the option to obtain MAC addresses across three layers by SNMP.
Step 2.On the Authentication Policy page, click Add to enter the Add Authentication Policy dialog box. Specify Name and Description.
Step 3.Under the Authentication Method, select None/SSO and select the option Take host name as username.
Step 4.In New User Options (except local users), select Added to specified local group and "/Marketing Dept" as the user group.
Select Bind IP/MAC and Bind the MAC address on initial login. In this example, the LAN spans three layers and you need to obtain the MAC address from the switch through the SNMP. Configure the setting in Policies > Authentication > User Authentication > Authentication Options > Obtain MAC By SNMP.
Step 5.Click OK to complete policy editing.
The name of a live PC is obtained by the NetBIOS protocol and may not be found sometimes. In this case, check the following:
• Whether the NetBIOS protocol is enabled on the target PC.
• Whether the target PC has configured multiple IP addresses.
• Whether the NetBIOS protocol has been filtered out by the firewall on the target PC.
• Whether NetBIOS protocol has been filtered out by a device in the network path.
Suppose the PC name cannot be obtained. In that case, the system will identify the PC as a temporary user and name it as Unknown Computer, which will only be displayed in the online user list and will not be added to the specified local group.
If one or more Layer 3 switches are installed between the online PC and the device, the real source MAC address cannot be obtained because of the change in the source MAC address of the online PC. To acquire the real source MAC address of an IP address, obtain the ARP table of the Layer 3 switch (gateway device directed by this PC) that is nearest to this PC via SNMP.
6.6.3.1.1.3Configuration Case 3 of Adding Authentication Policy
PCs in the LAN segment 192.168.3.0/255.255.255.0 are authenticated based on the AD SSO. After passing the AD domain authentication in the login system and the device's authentication, users in the AD domain can be synchronized to the device. If SSO fails on PCs in this network segment or the PCs do not log in to the domain, the IP address will be used as the username, no authentication will be required for Internet access, and the users will be added to "/Default group" automatically.
Step 1.On the Authentication Policy page, click Add to enter the Add Authentication Policy dialog box. Click Configure External Authentication Server to add an external authentication server. After that, configure LDAP User Sync.
Step 2.On the authentication policy, specify the Name and Description.
Step 3.Under the Authentication Method, select None/SSO and select the option Take IP address as username.
Step 4.In New User Options (except local users), select Added to specified local group and "/Default group/" as the user group. At this time, non-SSO users will be added to the default group and are subject to the default group's Internet access policy.
Select Does not apply to new users authenticated by external LDAP server (because they can be synchronized to a corresponding group automatically), so AD SSO users will be added to the group set in the synchronization rule.
Bidirectional binding does not apply to this example. The reason is that a non-SSO user is automatically added as a new user and binds IP/MAC address bidirectionally. This IP/MAC address can only be used by this user, and SSO authentication will no longer be used. However, unidirectional binding is acceptable.
Step 5.Click OK to complete policy editing.
{{ $t('index.defaultHeader.chromeBrowserTip') }}