Create an identity policy with a passive authentication rule

Create an identity policy that authenticates users using passive authentication with realm sequences for user identification.

This task discusses how to create an identity policy with a passive authentication rule that authenticates users using the US realm sequence. If a user is not found in the first realm in the sequence, the system searches the other realms in the sequence in the order listed in the realm sequence. If a user is still not found in the realm or realm sequence, the user is identified as Unknown.

You can optionally authenticate a user with the captive portal (that is, active authentication) if the user is not found in any realm in the sequence. For more information, see Best practices for captive portal guidelines and limitations.

Procedure

Step 1

Log in to the Firewall Management Center.

Step 2

Click Policies > Security policies > Identity.

Step 3

Click New Policy.

  1. Enter a Name for the policy and an optional Description.

  2. Click Save.

Step 4

Click Add Rule.

  1. Enter a Name for the rule.

  2. From the list, click Passive Authentication.

Step 5

Click the Realms & Settings tab page.

  1. From the list, click the name of a realm or realm sequence.

    The following figure shows an example.

    The figure illustrates an example of an identity policy with a passive authentication rule, highlighting the process of user identification within a selected realm.

    • If you choose a realm (such as US-East in the example), the system searches that realm for users to match the rule. If a user is not found, the user is identified as Unknown.

    • If you choose a realm sequence (US (Sequence) in the example), users are searched in every realm in the sequence in the order specified in the sequence. If the user is not found, the user is identified as Unknown.

    • You can also choose an LDAP realm.

    • For additional ways to authenticate the user, check Use active authentication if passive or VPN identity cannot be established. For more information, see Best practices for captive portal guidelines and limitations.

Step 6

(Optional.) To filter traffic by network object, click the Identity Source tab. From the list, click the network object to use to filter traffic for this identity policy. Click Add (add icon) to create a new network object.

Step 7

Set identity rule conditions as discussed in Identity rule conditions.

Step 8

Associate the identity rule with an access control rule as discussed in Associating other policies with access control.

Step 9

Deploy configuration changes to managed devices; see Deploy Configuration Changes.