Table of Contents
Advertisement
Certificate authority (C.A): This field displays the certificates you wish to trust and which you will
use.
It is possible to modify the subject field of the certificate that will be used for finding the user in
the LDAP. The LDAP field used for the search can also be modified. By default, the e-mail address
is used in both cases. These settings can be configured in CLI.
RADIUS
RADIUS is a standard authentication protocol running in client-server mode. It allows defining
network access for remote users. This protocol is equipped with a server linked to an
identification database (e.g. LDAP directory). The Stormshield Network firewall can act as a
RADIUS client and can therefore address authentication requests for users wishing to pass
through the Firewall, to an external RADIUS server. The user will only be authenticated on the
Firewall if the RADIUS server accepts the authentication request sent by the Firewall.
All RADIUS transactions (communications between the Firewall and the RADIUS server) are
themselves authenticated using a pre- shared secret, which is never transmitted over the
network. This same secret will be used to encrypt the user password, which will pass through the
Firewall and RADIUS server.
After having selected your authentication method from the left column, you may enter information
about it in the right column, which sets out the following elements:
Access to the server
When the RADIUS method is selected, RADIUS authentication will be enabled. This menu will allow
you to specify information relating to the external RADIUS server used and a backup RADIUS
server. For each of them, the configuration requires the following information:
Server
Port
Pre-shared key
Backup server
Server
Port
Pre-shared key
The Firewall will attempt to connect twice to the "main" RADIUS server, and in the event of
failure, will attempt to connect twice to the "backup" RADIUS server. If the backup RADIUS
server responds, it will become the main RADIUS server. After 600 seconds, a new switch
will take place, and the original "main" RADIUS server will become the "main" server again.
Kerberos
Kerberos is different from other authentication methods. Instead of letting authentication take
place between each client host and each server, Kerberos uses symmetrical encryption, the key
distribution center (KDC, Key Distribution Center) to authenticate users on a network.
During the authentication process, the Stormshield Network Firewall acts as a client which
requests authentication on behalf of the user. This means that even if the user has already
Page 48/448
IP address of the RADIUS server.
Port used by the RADIUS server. By default, the port 1812 / UDP named RADIUS is
selected.
Key used for encrypting exchanges between the firewall and the RADIUS server.
IP address of the backup server.
Port used by the backup server if the main server is no longer available. By default,
the port 1812 / UDP named RADIUS is selected.
Key used for encrypting exchanges between the firewall and the backup server.
REMARK
SNS - USER CONFIGURATION MANUAL V.3
sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016
AUTHENTICATION
- Quick Links:
- Administrator Management
Hide quick links:
Advertisement
Table of Contents
