User Authentication - Alcatel-Lucent Security Management Server (SMS) Release 9.4 Technical Overview

Alcatel-Lucent VPN Firewall Brick

User Authentication

...................................................................................................................................................................................................................................
Overview
Strong user authentication is often a critical component of a security architecture. If a
resource must be accessed, perhaps it is reasonable to maintain an audit trail of who
accessed it and when, so any malfeasance may be traced back to an individual.
Users are collected into objects called User Groups. As discussed in the Stateful Packet
Filtering section above, User Groups may be used as matching criteria in a firewall
rule. This allows the administrator to configure sets of rules that apply only to users in
a given User Group, once the users have authenticated.
Every user in a User Group may have their own individual mechanism for
authentication. Default authentication mechanisms are also provided for those who do
not wish to recopy user lists stored in external databases; the authentication requests
are simply passed through to the default server, if so configured.
The Brick device supports three types of general-purpose authentication verification
mechanisms:
• SecurID/ACE Server (RSA)
• RADIUS protocol authentication and accounting server access
• Local Password Database
Additionally, VPN Certificate authentication is available for use only with the VPN
Client as well.
Windows domain authentication can be supported via certain RADIUS server
implementations.
One additional feature is the ability to receive parameters from a RADIUS server.
Certain parameters, in addition to success or failure of authentication, may be returned
from a RADIUS server. The Brick allows those parameters to be used within the scope
of the Brick's security mechanisms. Parameters which may be configured via RADIUS
are:
• Authentication Timeout
• User Group
• Local IP address (Client VPN only)
• DNS primary and secondary servers (Client VPN only)
• WINS primary and secondary servers (Client VPN only)
Authentication may be used with either of two authentication processes: firewall
authentication and VPN Client user authentication.
...................................................................................................................................................................................................................................
260-100-022R9.4
Issue 1, June 2009
™
Security Appliance
1-17