Using Port-Based Security
Chapter 12: Setting Your Security Policy 347
Using Port-Based Security
The UTM-1 appliance supports the IEEE 802.1x standard for secure RADIUS
authentication of users and devices that are directly attached to UTM-1 appliance's LAN
and DMZ ports, as well as the wireless LAN.
When an 802.1x security scheme is implemented for a port, users attempting to connect to
that port are required to authenticate using their network user name and password. The
UTM-1 appliance sends the user's credentials to the configured RADIUS server, and if
authentication succeeds, a connection is established. If the user fails to authenticate, the
port is physically isolated from other ports on the gateway.
If desired, you can specify how users should be handled after successful or failed
authentication. You can assign authenticated users to specific network segments, by
configuring dynamic VLAN assignment on the RADIUS server. Upon successful
authentication, the RADIUS server sends RADIUS option 81 [Tunnel-Private-Group-ID]
to the UTM-1 appliance, indicating to which network segment the user should be assigned.
For example, if a member of the Accounting team connects to a network port and attempts
to log on, the UTM-1 appliance relays the information to the RADIUS server, which
replies with RADIUS option 81 and the value “Accounting”. The appliance then assigns
the user’s port to the Accounting network, granting the user access to all the resources of
the Accounting team.
The UTM-1 appliance also enables you to automatically assign users to a “Quarantine”
network when authentication fails. All Quarantine network security and network rules will
apply to those users. For example, you can create security rules allowing users on the
Quarantine network to access the Internet and blocking them from accessing sensitive
company resources. You can also configure Traffic Shaper to grant members of the
Quarantine network a lower amount of bandwidth than authorized users.
To Next Page
Loading...
