Watchguard SSL 1000 User Manual page 72

Configuring Authentication and Authorization
Communications between the Firebox SSL VPN Gateway and authentication servers.
If a user is not located on an authentication server or fails authentication on that server, the Firebox SSL
VPN Gateway checks the user against the local user
on the Firebox SSL VPN Gateway is selected on the Authentication > Settings tab.
Communication between the client, the Firebox SSL VPN Gateway, and the local user account.
After a user is authenticated, the Firebox SSL VPN Gateway performs a group authorization check by
obtaining the user's group information from either an LDAP server, a RADIUS server, a Windows NT 4.0
server (for NTLM authorization), or the local group file (if not available on the LDAP or RADIUS server). If
group information is available for the user, the Firebox SSL VPN Gateway then checks the network
resources allowed for the group. LDAP authorization works with all supported authentication methods.
You can configure the Firebox SSL VPN Gateway to obtain an authenticated user's group(s) from an
LDAP server. If the user is not located on the LDAP server, the Firebox SSL VPN Gateway checks its local
group file
if the check box Use the local user database on the Firebox SSL VPN Gateway is
selected on the Authentication > Settings tab.
The group names obtained from the LDAP server are compared with the group names created locally
on the Firebox SSL VPN Gateway. If the two group names match, the properties of the local group apply
to the group obtained from the LDAP server.
62
list, if the check box Use the local user database
Firebox SSL VPN Gateway