Configuring Authentication with Fallback Options
This document describes the following configurations :
- Authentication : RADIUS. LDAP and LOCAL
- Authenticate Profile : RADIUS, LDAP and LOCAL
- Authentication Sequence : RADIUS, fallback to LDAP, fallback to LOCAL
- Using the Authentication Sequence for Firewall Administrator and Captive Portal
Device > Server-Profile > Radius
Configure the fields:
- Domain name: RADIUS server domain
- Server: Friendly Name identifying Server
- IP address: Address of Server
- Port-1812 (authentication)
Local User Authentication
Device > Local User Database > Users
- Create a local user adding a password and enabling the user.
Device > Server-Profile > LDAP
- “Base” field represents the point in the LDAP tree where the firewall will connect to and begin the search for users and groups.
- “Bind DN” field contains the user name credentials that the firewall uses to access the AD/ LDAP server to be able to pull users and groups
- SSL is checked by default and needs server port 636, make sure to uncheck SSL if port 389 is used
- Domain: Needs to be the NETBIOS domain or leave blank and the system will pull the domain info. automatically
Device > Authenticate Profile
- Configure Authentication profile for Local, Radius and LDAP authentication by selecting Authentication and Server profiles.
Device > Authenticate Sequence
Snapshot depicts Radius as primary authentication, first fallback as LDAP and second fallback as Local Database.
- Radius > Fallback to LDAP > Fallback to Local
- Lockout Time : Number of minutes that a user is locked out if the number of failed attempts is reached (0-60 minutes, default 0). 0 means that the lockout is in effect until it is manually unlocked.
- Failed Attempts : Number of failed login attempts that are allowed before the account is locked out (1-10, default 0). 0 means that there is no limit.
Authentication Sequence for Firewall Administrator
Device > Administrators
- Create Administrator with Authentication Profile = Authentication Sequence profile.
- Choose Role-Dynamic-SuperUser.
Authentication Sequence for Captive-Portal Authentication
Device > User Identification > Captive Portal Settings
- Select Authentication-Sequence as a Authentication Profile.