Realm & Settings Rule Conditions

The Realm & Settings tab page enables you to choose a realm or realm sequence to which to apply the identity rule. If you are using captive portal, you have additional options.

Authentication Realm

From the Realm list, click a realm or realm sequence.

The realm or realm sequence containing the users you want to perform the specified Action on. You must fully configure a realm or realm sequence before selecting it as the realm in an identity rule.

Note

If remote access VPN is enabled and your deployment is using a RADIUS server group for VPN authentication, make sure you specify the realm associated with this RADIUS server group.

Active authentication only: other options

If you either choose Active Authentication as the authentication type or if you check the box, Use active authentication if passive or VPN identity cannot be established, you have the following options.

Use active authentication if passive or VPN identity cannot be established

(Passive authentication rule only.) Selecting this option authenticates users using captive portal active authentication if a passive or a VPN authentication fails to identify them. You must configure an Active Authentication rule in your identity policy in order to select this option. (That is, users must authenticate using the captive portal.)

If you disable this option, users that do not have a VPN identity or that passive authentication cannot identify are identified as Unknown.

Also see the discussion of the Authentication Realm list later in this topic,

Identify as Special Identities/Guest if authentication cannot identify user

Selecting this option allows users who fail captive portal active authentication the specified number of times to access your network as a guest. These users appear in the management center identified by their username (if their username exists on the AD or LDAP server) or by Guest (if their user name is unknown). Their realm is the realm specified in the identity rule. (By default, the number of failed logins is 3.)

This field is displayed only if you configure Active Authentication (that is, captive portal authentication) as the rule Action.

Authentication Protocol

The method to use to perform captive portal active authentication. An example of what users see when logging in with a response page is shown in Create a Sample Identity Policy with an Active Authentication Rule.

The selections vary depending on the type of realm, LDAP or AD:

  • Choose HTTP Basic if you want to authenticate users using an unencrypted HTTP Basic Authentication (BA) connection. Users log in to the network using their browser's default authentication pop-up window.

    Most web browsers cache the credentials from HTTP Basic logins and use the credentials to seamlessly begin a new session after an old session times out.

  • Choose NTLM to authenticate users using a NT LAN Manager (NTLM) connection. This selection is available only when you select an AD realm. If transparent authentication is configured in a user's browser, the user is automatically logged in. If transparent authentication is not configured, users log in to the network using their browser's default authentication pop-up window.

  • Choose Kerberos to authenticate users using a Kerberos connection. This selection is available only when you select an AD realm for a server with secure LDAP (LDAPS) enabled. If transparent authentication is configured in a user's browser, the user is automatically logged in. If transparent authentication is not configured, users log in to the network using their browser's default authentication pop-up window.

    Note

    The Realm you select must be configured with an AD Join Username and AD Join Password to perform Kerberos captive portal active authentication.

    Note

    If you are creating an identity rule to perform Kerberos captive portal and you have DNS resolution configured, you must configure your DNS server to resolve the fully qualified domain name (FQDN) of the captive portal device. The FQDN must match the host name you provided when configuring DNS.

    For threat defense devices, the FQDN must resolve to the IP address of the routed interface used for captive portal.

  • Choose HTTP Negotiate to allow the captive portal server to choose between HTTP Basic, Kerberos, or NTLM for the authentication connection. This type is available only when you select an AD realm.

    Note

    The Realm you choose must be configured with an AD Join Username and AD Join Password for HTTP Negotiate to choose Kerberos captive portal active authentication.

    Note

    If you are creating an identity rule to perform HTTP Negotiate captive portal and you have DNS resolution configured, you must configure your DNS server to resolve the fully qualified domain name (FQDN) of the captive portal device. The FQDN of the device you are using for captive portal must match the hostname you provided when configuring DNS.

  • Choose HTTP Response Page to enable users to choose a realm to log in to.

    You can optionally customize the response page; for example, to conform to company style standards.

Active Authentication Realm
(Passive authentication rule only.) If you clicked Use active authentication if passive or VPN identity cannot be established, you must click the name of a realm or realm sequence. The availability of a realm or realm sequence is determined by your choice for Authentication Protocol as follows:

  • HTTP Basic or HTTP Response Page authentication protocol: You can choose either a realm or a realm sequence.

  • NTLM, Kerberos, or HTTP Negotiate authentication protocol: You can choose a realm only. You cannot choose a realm sequence.