Session Authentication


The third type of authentication available is session authentication. Session authentication enables you to grant users access to any service, without requiring them to originate from the same source IP.

In order to accomplish this type of authentication, the user must run a session authentication agent. This agent is responsible for receiving the authentication request from the firewall, prompting the user for his or her login credentials, and transmitting that information back to the firewall. The session authentication agent can be found on the Check Point installation CD, and does not require any special licensing.

Configuring session authentication is similar to configuring client or user authentication. First, ensure that your users are configured in the user manager. Then, add a rule to the standard rule base as in rule 8 in Figure 6.16.

click to expand
Figure 6.16: Session Authentication Rule

Here, the rule is similar to our previous rule for client authentication. Note that it is not required that you restrict session authentication to a service. Again, there are action properties available for session authentication, accessible by right-clicking on the Session Auth icon and choosing Edit properties (see Figure 6.17).

click to expand
Figure 6.17: Session Authentication Action Properties

The Source and Destination properties behave here just as they do in client or user authentication. Contact Agent At enables you to specify where the authentication agent is running. In general, the agent will be running on the user s workstation, which is located at the source of the connection, so this setting should be left as Src . In special cases, when the authentication agent is installed elsewhere, you can specify that location via this setting.

Accept only if connection is encrypted enables you to reject connections, even if the authentication information is valid, unless the user is connecting over through an encrypted VPN connection.

Query user identity from UserAuthority enables you to integrate session authentication with a UserAuthority server for Single Sign On.

Session Authentication versus Client and User Authentication

Table 6.2 compares various aspects of session, client, and user authentication:

Table 6.2: Session Authentication versus Client and User Authentication

Authentication
Property

User
Authentication

Client
Authentication

Session
Authentication

Based on source IP

No

Yes

No

Restrict on Username

Yes

Yes

Yes

Transparent

Optional

Depends on Sign On Method

Yes

Services Available

HTTP, HTTPS, FTP, telnet, rlogin

All

All

Agent required

No

No

Yes




Check Point NG[s]AI
Check Point NG[s]AI
ISBN: 735623015
EAN: N/A
Year: 2004
Pages: 149

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net