Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation
Table of Contents
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Understanding Pass-Through Authentication

    With pass-through user authentication, when a user attempts to initiate an HTTP, an FTP, or a Telnet connection request that has a policy requiring authentication, the device intercepts the request and prompts the user to enter a username and password. Before granting permission, the device validates the username and password by checking them against those stored in the local database or on an external authentication server, as shown in Figure 1.

    Note: You use family inet to assign an IPv4 address. You use family inet6 to assign an IPv6 address. An interface can be configured with both an IPv4 and an IPv6 address. For the sake of brevity, these examples use IPv4 addresses only.

    Figure 1: Policy Lookup for a User

    Policy Lookup for a User

    The steps in Figure 1 are as follows:

    1. A client user sends an FTP, an HTTP, or a Telnet packet to 1.2.2.2.
    2. The device intercepts the packet, notes that its policy requires authentication from either the local database or an external authentication server, and buffers the packet.
    3. The device prompts the user for login information through FTP, HTTP, or Telnet.
    4. The user replies with a username and password.
    5. The device either checks for an authentication user account on its local database or it sends the login information to the external authentication server as specified in the policy.
    6. Finding a valid match (or receiving notice of such a match from the external authentication server), the device informs the user that the login has been successful.
    7. The device forwards the packet from its buffer to its destination IP address 1.2.2.2.

    After the device authenticates a user at a particular source IP address, it subsequently permits traffic—as specified in the policy requiring authentication through pass through—from any other user at that same address. This might be the case if the user originates traffic from behind a NAT device that changes all original source addresses to a single translated address.

    Note: The pass-through user authentication method is recommended in situations when security has a higher priority than convenience. This authentication method applies only to the session and child sessions matching the policy that triggered it. You can apply this method on Internet-facing links, if used with caution.

     

    Related Documentation

     

    Published: 2012-06-29

    Previous Page Next Page