beautypg.com

Authentication processing – Amer Networks E5Web GUI User Manual

Page 537

background image

The maximum time that a connection can exist (no value is specified by default).

If an authentication server is being used then the option to Use timeouts received from the
authentication server
can be enabled to have these values set from the server.

Multiple Logins

An Authentication Rule can specify how multiple logins are handled where more than one user
from different source IP addresses try to login with the same username. The possible options are:

Allow multiple logins so that more than one client can use the same username/password
combination.

Allow only one login per username.

Allow one login per username and logout an existing user with the same name if they have
been idle for a specific length of time when the new login occurs.

8.2.6. Authentication Processing

The list below describes the processing flow through cOS Core for username/password
authentication:

1.

A user creates a new connection to the Clavister Security Gateway.

2.

cOS Core sees the new user connection on an interface and checks the Authentication rule
set
to see if there is a matching rule for traffic on this interface, coming from this network
and data which is one of the following types:

HTTP traffic

HTTPS traffic

IPsec tunnel traffic

L2TP tunnel traffic

PPTP tunnel traffic

SSL VPN tunnel traffic

3.

If no rule matches, the connection is allowed, provided the IP rule set permits it, and
nothing further happens in the authentication process.

4.

Based on the settings of the first matching authentication rule, cOS Core may prompt the
user with an authentication request which requires a username/password pair to be
entered.

5.

cOS Core validates the user credentials against the Authentication Source specified in the
authentication rule. This will be either a local cOS Core database, an external RADIUS
database server or an external LDAP server.

6.

cOS Core then allows further traffic through this connection as long as authentication was
successful and the service requested is allowed by a rule in the IP rule set. That rule's Source
Network object has either the No Defined Credentials option enabled or alternatively it is
associated with a group and the user is also a member of that group.

Chapter 8: User Authentication

537

This manual is related to the following products: