[Contents] [Prev] [Next] [Index] [Report an Error]

Web Authentication

Web Authentication is an alternate form of firewall user authentication. Instead of pointing to the resource you want to connect to from your client browser, you point the browser to an IP address on the device that is enabled for Web authentication. This initiates an HTTP session to the IP address hosting the Web Authentication feature on the device. The device then prompts you for your username and password and caches the result in the device. Later when traffic encounters a web-authentication policy, you are allowed or denied access based on the prior Web authentication results as shown in Figure 23.

Figure 23: Web Authentication Example

Image webauth_prepol_chk.gif

Follow these Web Authentication guidelines:

You can leave the default Web Authentication server as the local database or you can choose an external auth server for the role. The default Web Authentication profile determines if the user authenticates using the local database or the external authentication server. An access profile stores usernames and passwords of users or points to external authentication servers where such information is stored.
The Web Authentication address must be in the same subnet as the interface that you want to use to host it. For example, if you want authentication users to connect using Web Authentication through ethernet3, which has IP address 1.1.1.1/24, then you can assign Web Authentication an IP address in the 1.1.1.0/24 subnet.
You can put a Web Authentication address in the same subnet as the IP address of any physical interface or virtual security interface (VSI). (For information about different types of interfaces, see Security Zones and Interfaces.)
You can put Web Authentication addresses on multiple interfaces.
After a device authenticates a user at a particular source IP address, it subsequently permits traffic—as specified in the policy requiring authentication through Web Authentication—from any other user at that same address. This might be the case if the user originates traffic from behind a NAT device that changes all original source addresses to a single translated address.
With Web Authentication enabled, any HTTP traffic to the IP address will get the Web Authentication login page instead of the admin login page. Disabling this option will show the admin login page (assuming that [system services web-management HTTP] is enabled.
We recommend that you have a separate primary or preferred IP address, if an address is used for Web Authentication.

[Contents] [Prev] [Next] [Index] [Report an Error]