Ignored administration
accounts
By default, this list of users contains the usual logins dedicated to the administrator
(Administrator and Administrateur by default) in order to define the authentication
attempts that the SSO agent has to ignore.
This mechanism has been set up as the domain controller considers the execution of
a service or an application (Run as administrator feature, for example) an
authentication. As the SSO Agent restricts authentication by IP address, this type of
authentication may potentially replace the authentication of the user with an open
Windows session. The pre-set list of “Ignored Administrator accounts” allows the SSO
agent to not take into account their authentication.
This list of “Administrator” logins can be modified in CLI (CONFIG AUTH AGENTIGNORE).
Guest method
This mode allows identification without authentication, for access to a public Wi-Fi network, for
example. This method automatically activates the display of the conditions of use for internet
access. These conditions can be customized in the Captive portal tab. By default, the frequency
of this display confirming the authentication is 18 hours and can be modified in the settings for
this method (disclaimertime).
When these “guest” users log on, these events will be logged with the addition of source MAC
addresses. This identification is checked every 4 hours, and this parameter can be set in the
following CLI command:
CONFIG AUTH GUEST (example: state=1 logontime=14400disclaimertime=64800)
NOTE
In the security policy, the User object to select to match the Guest method is “All”.
Display frequency of
the Conditions of use
for internet access
With this method, the Conditions of use for internet access – commonly known as
Disclaimer – are systematically shown to the user. A checkbox to indicate the user’s
agreement has to be checked before the user can authenticate.
These conditions can be customized in the “Captive portal” tab.
If the feature has also been enabled in the profiles of the captive portal, this display
frequency will be different from the one configured for the other methods.
Sponsorship
This mode enables identification without authentication through the captive portal. The
sponsored party will need to enter his/her first name and last name and his/her sponsor's email
address. The sponsor will then receive an email containing a link to confirm this request. After the
request has been validated, the sponsored party will automatically be redirected from the captive
portal to the requested web page.
Minimum
authentication
duration
Define the minimum duration of a session for a sponsored user.
This duration is to be defined in minutes, hours or days. It is set by default to 15
minutes.
Maximum
authentication
duration
Define the maximum duration of a session for a sponsored user. After this duration
has lapsed, the firewall will log off the user.
This duration is to be defined in minutes, hours or days. It is set by default to 240
minutes, or 4 hours.
Page 52/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016
SNS - USER CONFIGURATION MANUAL V.3
AUTHENTICATION
To Next Page
Loading...
