Create a Sample Identity Policy with an Active Authentication Rule

The associated tasks show an examples of configuring an identity policy with an Active Authentication rule where authentication is performed using either a realm or a realm sequence.

The differences follow:

  • Realm enables you to use any supported authentication type (currently, HTTP Basic, NTLM, Kerberos, HTTP Negotiate, or HTTP Response Page).

  • Realm sequence limits you to only the HTTP Basic or HTTP Response Page authentication types.

    Users who authenticate with a realm sequence and the HTTP Response Page authentication type see the following by default:

    The user can authenticate in any of the following ways:

    • If a list of realms in the realm sequence is displayed (as shown), the user must enter their user name and password in the provided fields and click the name of their realm from the list.

    • If realms are not displayed in a list, the user can enter their credentials in username@domain format.

    Users who authenticate with a realm and the HTTP Basic authentication page see the following:

    The user must enter their user name in username@domain format.

Procedure

Step 1

Log in to the management center.

Step 2

Click Policies > Access Control > Identity .

Step 3

Click New Policy.

Step 4

Enter a Name for the policy and an optional Description.

Step 5

Click Save.

Step 6

Click the Active Authentication tab.

Step 7

Enter the following information:

  • Server Certificate: From the list, click an internal certificate object to use for secure connection to the Threat Defense device, or click Add (add icon) to add one.

  • Redirect to Host Name: (Optional.) From the list, click a network object to which to redirect captive portal requests. If you omit this value, requests redirect to the IP address of the managed device. You can click Add (add icon) to create a new network object. For more information, see Redirect to Host Name Network Rule Conditions.

    Managed devices must have Snort 3 enabled to use this option.

  • Port: Enter a port for the captive portal to use. This port must be unique for the captive portal and must match an access control rule you set up as discussed in Configure the Captive Portal Part 3: Create a TCP Port Access Control Rule. (Default is 885.)

  • Maximum login attempts: Enter the maximum number of login attempts before login fails. (Default is 3.)

  • Active Authentication Response Page: Choose a system-provided or custom login page for captive portal users. For more information about your options, see Captive Portal Fields.

Step 8

Click Save to save your changes to the identity policy.

Step 9

Click the Rules tab.

Step 10

Click Add Rule.

Step 11

Enter a Name for the rule.

Step 12

From the list, click Active Authentication.

Step 13

Click the Realms & Settings tab page and continue with one of the following sections.

What to do next

Continue with one of the following sections: