Athena SWG (Secure Web Gateway)

Athena SWG (formerly Internet Access Gateway) ensures visibility and control across the network, detecting risks like unauthorized access, non-compliant activities, and data leaks to manage endpoints.
{{ $t('productDocDetail.guideClickSwitch') }}
{{ $t('productDocDetail.know') }}
{{ $t('productDocDetail.dontRemind') }}
13.0.120
Athena SWG (Secure Web Gateway) {{ breadTitle }} User Manual Use Cases CAS Server Authentication Case
{{sendMatomoQuery("Athena SWG (Secure Web Gateway)","CAS Server Authentication Case")}}

CAS Server Authentication Case

{{ $t('productDocDetail.updateTime') }}: 2025-12-29

Requirements:

A central authentication service(CAS) server is deployed in the network. This server stores user information, such as accounts and passwords. For users using password-based authentication, the customer wants connecting users to log in to the IAG unit to be authenticated against the CAS server.

How CAS Server Authentication Works:

User credentials submitted to the IAG unit will be forwarded to a third-party authentication server (CAS server) and verified on this server. Then, verification results are returned to the IAG unit, determining the user authentication outcome. If the verification succeeds, the user is successfully authenticated on IAG uni.

Network Topology:

P8444#y1

Configuration Steps:

Step 1.Ensure that the CAS server is deployed correctly in the network and obtain the CAS server account and the URL used to connect to the CAS server (URL example: https://ip:8443/cas/login).

Step 2.Deploy the IAG unit in Route mode, and configure a corresponding deployment mode on the IAG Web Admin console. The static route needs to be configured if the intranet is a layer 3 network.

Step 3.Add a third-party auth system in Access Mgt > Authentication > Web Authentication > Authentication Server, and c[A362]onfigure relevant parameters. Specify a name for the new authentication system, set the URL to the one obtained in Step 1, keep the default keyword value, and select cas2.0 in the Version field.

If the CAS server version is earlier than V4.0.0, the Version field should be cas2.0; if the server version is later than V4.0.0, the Version field should be cas3.0. In this case, the CAS server version is earlier than V4.0.0.

Step 4.Create an authentication policy in Access Mgt > Authentication > Web Authentication > Authentication Policy, configure applicable objects as per your need, and select Password based as the authentication method. In Auth Server field, choose the third-party auth system created in Step 3, as shown in the following figure.

Step 5.When attempting to access the Internet, the internal user will be redirected to the CAS authentication page, which requires the user to provide a username and password.

[A363]

Suppose the user passes the authentication against the CAS server. In that case, the user information can be viewed in Status > Users > Online Users, which means he/she successfully logged into the IAG unit.

1. CAS server authentication is applicable to the following deployment modes: Route mode, Bridge mode, and Bypass mode.

2. If the CAS server is deployed between the IAG unit and the external network, the CAS server address should be added to the custom excluded address list in System > General > Global Exclusion. Otherwise, users cannot be redirected to the CAS authentication page.