Create a sample identity policy with an active authentication rule

This task shows you how to configure an identity policy with an Active Authentication rule where authentication is performed using either a realm or a realm sequence. This enables secure network access management through customizable captive portal settings.

The associated tasks show an examples of configuring an identity policy with an Active Authentication rule where authentication is performed using either a realm or a realm sequence.

The differences follow:

  • Realm enables you to use any supported authentication type (currently, HTTP Basic, NTLM, Kerberos, HTTP Negotiate, or HTTP Response Page).

  • Realm sequence limits you to only the HTTP Basic or HTTP Response Page authentication types.

    Users who authenticate with a realm sequence and the HTTP Response Page authentication type see the following by default:

    The image illustrates a sample identity policy configuration screen, highlighting the active authentication rule options available for user authentication methods.

    The user can authenticate in any of the following ways:

    • If a list of realms in the realm sequence is displayed (as shown), the user must enter their user name and password in the provided fields and click the name of their realm from the list.

    • If realms are not displayed in a list, the user can enter their credentials in username@domain format.

    Users who authenticate with a realm and the HTTP Basic authentication page see the following:

    The authentication interface displays fields for entering a user name and password, along with a list of realms for user selection.

    The user must enter their user name in username@domain format.

Procedure

Step 1

Log in to the Firewall Management Center.

Step 2

Click Policies > Security policies > Identity.

Step 3

Click New Policy.

  1. Enter a Name for the policy and an optional Description.

  2. Click Save.

Step 4

Click the Active Authentication tab.

Enter the following information:

  • Server Certificate: From the list, click an internal certificate object to use for secure connection to the Firewall Threat Defense device, or click Add (add icon) to add one.

  • Redirect to Host Name: (Optional.) From the list, click a network object to which to redirect captive portal requests. If you omit this value, requests redirect to the IP address of the managed device. You can click Add (add icon) to create a new network object. For more information, see Redirect to host name network rule conditions.

    Managed devices must have Snort 3 enabled to use this option.

  • Port: Enter a port for the captive portal to use. This port must be unique for the captive portal and must match an access control rule you set up as discussed in Create a TCP port access control rule. (Default is 885.)

  • Maximum login attempts: Enter the maximum number of login attempts before login fails. (Default is 3.)

  • Active Authentication Response Page: Choose a system-provided or custom login page for captive portal users. For more information about your options, see Captive portal fields.

Step 5

Click Save to save your changes to the identity policy.

Step 6

Click the Rules tab.

Step 7

Click Add Rule.

  1. Enter a Name for the rule.

  2. From the list, click Active Authentication.

Step 8

Click the Realms & Settings tab page. Then configure an active authentication method for the users.

What to do next

Continue with one of the following sections: