When you configure the Firebox as an authentication server, the Firebox stores user accounts that you create to give users access to your network.
Firebox authentication is often used by organizations that do not have a third-party authentication server and do not need to manage user accounts centrally for multiple applications. Firebox authentication works with policies, all VPN types, management access, and all other Firebox features that authenticate users.
How User Authentication Works
User authentication is a process that finds whether a user is who he or she is declared to be, and verifies the privileges assigned to that user. On your Firebox, a user account has two parts: a user name and a passphrase. Each authenticated user is associated with an IP address. This combination of user name, passphrase, and IP address helps the device administrator to monitor connections through the device. With authentication, users can log in to the network from any computer, but get access to only the network ports and protocols for which they are authorized. The Firebox can then map the connections that start from a particular IP address and also transmit the session name while the user is authenticated.
Use Authentication with Firewall Policies and Users/Groups
You can create firewall polices to give users and groups access to specified network resources. This is useful in network environments where different users share a single computer or IP address.
To prepare your Firebox as an authentication server:
- Divide your company into groups based on the tasks people do and information they need
- Create users for the groups
- Assign groups and users to policies
About Authentication Servers
You can use the Firebox as a local authentication server, or you can use your existing Active Directory, LDAP authentication server, or a RADIUS authentication server. When you use Firebox authentication over port 4100, account privileges can be based on user name. When you use third-party authentication, account privileges for users that authenticate to the third-party authentication servers are based on the security group membership of the user.
How Authenticated Users are Tracked
The WatchGuard user authentication feature allows a user name to be associated with a specific IP address to help you authenticate and track user connections through the device. With the device, the fundamental question that is asked and answered with each connection is, Should I allow traffic from source X to go to destination Y? For the WatchGuard authentication feature to work correctly, the IP address of the user's computer must not change while the user is authenticated to the device.
Authentication, Accounting, and Access control (AAA) is supported by your Firebox, based on a stable association between an IP address and a user. In most environments, the relationship between an IP address and the user computer is stable enough to use for authentication. For environments in which the association between the user and an IP address is not consistent, such as kiosks or networks where applications are run from a terminal server, we recommend that you use the Terminal Services Agent for secure authentication. For more information, see Install and Configure the Terminal Services Agent.
About Single Sign-On (SSO)
The WatchGuard user authentication feature also supports authentication to an Active Directory domain with Single Sign-On (SSO), as well as other common authentication servers. In addition, it supports inactivity settings and session time limits. These controls restrict the amount of time an IP address is allowed to pass traffic through the device before users must supply their passwords again (re-authenticate).
If you control SSO access with a white list and manage inactivity timeouts, session timeouts, and who is allowed to authenticate, you can improve your control of authentication, accounting, and access control. To make sure a user cannot authenticate, you must disable the account for that user on the authentication server.
Authentication and IPv6 Support
If you have configured your device with an IPv6 address, you can use the IPv6 address for Firebox authentication over port 4100. You can also use your device to make IPv6 connections to clients with IPv6 addresses when you use a third-party authentication server with an IPv4 address, such as a RADIUS server.
To troubleshoot user authentication, we recommend that you create a test policy. Next, try to authenticate to the Firebox as a user who is a member of the group specified in the test policy.