Solutions Fast Track

FW-1 authentication schemes include FW-1 Password, RADIUS, TACACS, and SecurID.

Each user you want to authenticate uses one of these authentication schemes.

Before you can use any scheme, it must be enabled in your firewall object s Authentication tab.

Defining users enables you to make use of the authentication schemes mentioned at the beginning of this chapter, as well as to decide upon several other useful properties for each user.

All users in FW-1 are defined via templates. Templates are also a convenient way to eliminate the need to define the same user properties repeatedly; you define the user properties once and create subsequent users with the same settings by simply choosing that template.

User authentication works only for HTTP, HTTPS, FTP, telnet, and rlogin.

It can be transparent, and does not require any additional software on the client end.

Client authentication works for all services, but is not transparent.

Users must use telnet or HTTP to authenticate prior to being granted access. No additional software is required on the client end.

Session authentication also works for all services and is transparent.

The session authentication agent must be running on the client end. It communicates with the firewall and provides authentication credentials.

LDAP Authentication

LDAP can be integrated into FW-1 to enable you to have an external user database for authentication.

To configure LDAP, set up your LDAP server, ensure that it is operating properly, and then add an LDAP Account Unit to your list of Servers.