Internet Access Mangement

Authentication
 Authentication Introduction
The users managed by the IAM device are end users who access the Internet
through the IAM device; therefore, the users are the basic units to be allocated with
network access privileges. The administrators can manage users and their
privileges through the [Group/ User] page.

SANGFOR IAM Authentication Types

1. Authentication Based on IP, MAC/Hostname

2. Username/Password Authentication

3. SSO Authentication

4. DKey Authentication
 Authentication Introduction
1. None/SSO

This authentication identifies users according to the source IP address,

MAC address or computer name. The advantage of this authentication is
that the authentication dialogue will not appear to require users to type
username and password, so that the users will not perceive the
existence of the IAM device. The disadvantage is that this authentication
cannot identify the specific name of the user and thus cannot locate the
specific user of network behaviors, especially in an environment where
addresses are dynamically allocated. In this situation, policies will fail to
implement accurate control on the user.
Authentication Introduction
2. Username/Password Authentication
The username/password authentication will redirect the browser to the authentication page
and require user to enter correct username and password before they can connect to the
Internet. There are two types of password authentication: password authenticated on local
computer and that on external server.

After the user enters username and password, the device will first check if the username
and password are correct according to the local user list. If it cannot find the user in the
local user list and external authentication server has been configured, the device will try to
check the username and password on the external server.

You can manually create users on the IAM ,or you can directly use the external server
account and password (SANGFOR IAM support for LDAP, RADIUS, POP3, database, H3C
CAMS, H3C IMC and other external authentication).
 Authentication Introduction
3. SSO
SSO indicates that if the network already deploys the authentication system, the IAM
device will combine the authentication system to identify the user corresponding to a
certain IP address, so that when the user connects to the Internet, it will not be required to
type the username/password again.

At present, the following types of SSO are supported :

- Active Directory Domain SSO

- Proxy SSO

- POP3 SSO

- Web SSO
Authentication Introduction
4. DKey Authentication
The users adopting DKey authentication need submit the user information saved in
DKey to IAM device, which will then identify the user according to the DKey
authentication information. Among the four authentications, the DKey authentication
has the highest priority. If you insert the DKey into a computer that is already
authenticated using other method, the identity of the computer will be changed into
DKey user with the corresponding privileges.

There are two types of DKey: One is authentication DKey; the other is audit-free
DKey. The audit-free DKey has not only the authentication function, but also the
privilege to be exempt from being audited by the IAM device, which means the IAM
device will not monitor nor record the behaviors of the audit-free DKey user.
Authentication Introduction

Green: For DKEY authentication

Purple: For Audit-free authentication
Brown: For datacenter query
 Scenario

A company has office area and

Firewall
public area, required office
(192.168.1.0/24) users can not
modify the IP and MAC addresses,
public access areas (192.168.2.0/24)
CoreSW need Username/Password
authentication number and
password , in addition do not audit
the access Internet records of
manager.

Manager Office Public

 Scenario
According to customer demand, we
Firewall can deploy IAM between the firewall
and the core switches:
1, office users using IP / MAC
binding authentication
2, public use using password
CoreSW
authentication
3, the manager use audit-free KEY

Manager Office Public

 Configure steps
1. Add Authentication Policy
The IAM device will determine the authentication of user according to the IP
or MAC address configured

2. Manually/automatically add new users

New users can be edited mannually , you can define user specific
authentication information include username/passwordenable DKEY and
IP / MAC binding.
By configure authentication policy to add users automatically
DKEY authentication has the highest priority and do not need enable in
authentication policy.
NoneUsername/PasswordSSO need to enable in authentication policy.
 Step1IP/MAC binding
1. Add a group named "OFFICE'
2. Configure authentication policy
Addtionif there are layer 3 core switch enviromentwe must enable "Obtain mac by
snmp".
Step2Username/Password
1. Add a group name "PUBLIC" and a authentication policy
2. Add a new user
Step3DKEY Authentication
1Add a DKEY user.
Password Policy
 Password Policy

Indicates whether to enable password policy to enhance the security of the user
password. After enabling it, you can then check relevant options to impose requirements
on the password, such as:

Password cannot be the same as username.

New password cannot be the same as the old one.

Password length cannot be shorter than certain characters.

Password must contain letters, numeric digits and special characters.

 Password Policy
Steps

User/PolicyUser AuthenticationAuthentication
OptionsOther Options
 Password Policy
Cilent change password
 Force client to Change
password after the initial
authentication
Background: User import or adding a large number but the
initial password is the same, it's dangerous.

SolutionForce client to change password after the initial

authentication.

Attention

1. Only take effect to local password authentication device

users.

2. After the initial authentication the page will redirect to the

modify page, otherwise you can not access Internet
 Change password after the
initial authentication
Configuration

1. User/PolicyUser ManagementGroup/Userclick "Add

User"enable "Change password after the initial authentication"
 Change password after the
initial authentication
2. User/PolicyUser ManagementUser Import"Import from CSV file"
enable "User with local PWD must change PWD on initial login"
 Change password after the initial
authentication

When IAM enable "Change password after the initial

authentication",after the initial authentication the page will
redirect to the location as below shown:
Attentions:
(1) This page is a static
page, do not automatically
jump to previously visited .

(2) Modify the password

may take effect after a 30-
second delay
User Logout
 How to logout a
authenticated user
Web console
1. Force to LogoutDKey users, temporary users and users that need not be
authenticated cannot be logged out!
 How to logout a
authenticated user
2. Auto logout the user who causes no flow in specified period
worked for all kind of authenticated user
 How to logout a
authenticated user
3. Display Logout page after successful password authentication
only worked for Username/Password
 How to logout a
authenticated user
4. After user passes the authentication, page will be redirected to
"Logout page',and click the logout button.
 How to logout a
authenticated user
5. Client logout manually by entering http://IAMIP to open the logout
page and click the logout button (only worked for Username/Password or
SSO authentication users)
 Practice
A hotel has a Layer 2 network (192.168.1.0/24), each computer is
assigned a fixed IP address, requiring staff can only use their own
computer to surf the Internet in order to make sure the network
behavior can be traced to people. Customer room area users should
use username/password authentication.

Advice

Employee's computer use IP/MAC binding

Others use Username/Password

 FAQ

1.What Authentication mode can IAM suport

2.Why we should enable SNMP when customer want to bind ip/mac over
layer 3 core switch

3. User password policy will not take effect in what conditions?

www.sangfor.com