User authentication is a process that finds whether a user is who he or she is declared to be, and verifies the privileges assigned to that user. On your Firebox, a user account has two parts: a user name and a passphrase. Each authenticated user is associated with an IP address. This combination of user name, passphrase, and IP address helps the device administrator to monitor connections through the device. With authentication, users can log in to the network from any computer, but get access to only the network ports and protocols for which they are authorized. The Firebox can then map the connections that start from a particular IP address and also transmit the session name while the user is authenticated.
You can create firewall polices to give users and groups access to specified network resources. This is useful in network environments where different users share a single computer or IP address.
You can configure your device as a local authentication server, or use your existing Active Directory or LDAP authentication server, or an existing RADIUS authentication server. When you use Firebox authentication over port 4100, account privileges can be based on user name. When you use third-party authentication, account privileges for users that authenticate to the third-party authentication servers are based on the security group membership of the user.
If you have configured your device with an IPv6 address, you can use the IPv6 address for Firebox authentication over port 4100. You can also use your device to make IPv6 connections to clients with IPv6 addresses when you use a third-party authentication server with an IPv4 address, such as a RADIUS server.
The WatchGuard user authentication feature allows a user name to be associated with a specific IP address to help you authenticate and track user connections through the device. With the device, the fundamental question that is asked and answered with each connection is, Should I allow traffic from source X to go to destination Y? For the WatchGuard authentication feature to work correctly, the IP address of the user's computer must not change while the user is authenticated to the device.
Authentication, Accounting, and Access control (AAA) is supported by your Firebox, based on a stable association between an IP address and a user. In most environments, the relationship between an IP address and the user computer is stable enough to use for authentication. For environments in which the association between the user and an IP address is not consistent, such as kiosks or networks where applications are run from a terminal server, we recommend that you use the Terminal Services Agent for secure authentication. For more information, see Install and Configure the Terminal Services Agent.
The WatchGuard user authentication feature also supports authentication to an Active Directory domain with Single Sign-On (SSO), as well as other common authentication servers. In addition, it supports inactivity settings and session time limits. These controls restrict the amount of time an IP address is allowed to pass traffic through the device before users must supply their passwords again (re-authenticate).
If you control SSO access with a white list and manage inactivity timeouts, session timeouts, and who is allowed to authenticate, you can improve your control of authentication, accounting, and access control.
To make sure a user cannot authenticate, you must disable the account for that user on the authentication server.
To troubleshoot user authentication, we recommend that you create a test policy. Next, try to authenticate to the Firebox as a user who is a member of the group specified in the test policy.