What is user authentication – WatchGuard Technologies FireboxTM System 4.6 User Manual

VPN Manager Guide

87

What is user authentication?

What is user authentication?

User authentication allows the tracking of connections based on name rather than IP
address. With authentication, it no longer matters what IP address is used or from
which machine a person chooses to work; the username defines the permissions of
the user, and follows the user from workstation to workstation.

To gain access to Internet services (such as outgoing HTTP or outgoing FTP), the user
provides authenticating data in the form of a username and password. For the
duration of the authentication, the session name is tied to connections originating
from the IP address from which the individual authenticated.

For more information about authentication, see the Network Security Handbook.

User authentication types

The WatchGuard Firebox System supports five authentication methods identified by
the server type used:

• Firebox

• Windows NT

• RADIUS

• CRYPTOCard

• SecurID

A client performs the same sequence of tasks to authenticate against any of the five
types of authentication. For the administrator, the Firebox method requires the
administrator to add usernames, passwords, and groups using Policy Manager, while
the other four methods require storing the data on the server performing
authentication.

How user authentication works

A specialized-HTTP server runs on the Firebox. To authenticate, clients must connect
to the authentication server using a Java-enabled Web browser pointed to
http://IP address of any Firebox interface:4100/

A Java applet loads a prompt for a username and password that it then passes to the
authentication server using a challenge-response protocol. Once successfully
authenticated, users minimize the Java applet and browser window and begin using
allowed network services.

As long as the Java window remains active (it can be minimized but not closed) and
the Firebox doesn’t reboot, users remain authenticated until the session times out. To
prevent an account from authenticating, disable the account on the authentication
server.

While more than one type of authentication scheme can be implemented, only

one type of authentication can be applied to a single user session.