Identity Sources

Browser-Based Authentication

Browser-Based Authentication gets identities and authenticates users with one of these acquisition methods:

• Captive Portal
• Transparent Kerberos Authentication

How Captive Portal Works

Captive Portal is a simple method that authenticates users with a web interface. When users try to access a protected web resource, they enter authentication information in a form that shows in their web browser.

The Captive Portal shows when a user tries to access a web resource and all of these conditions apply:

• Captive Portal is enabled.
• The Redirect option enabled for the applicable policy rule.
• Firewall or Application & URL Filtering rules block access by unidentified users to resources that would be allowed, if they were identified.

The Captive Portal also shows when Transparent Kerberos Authentication is enabled, but authentication fails.

From the Captive Portal, users can:

• Enter their user name and password (which are configured in the Identity Awareness Gateway object > Identity Awareness page > near the Browser-Based Authentication, click Settings > refer to the Users Access section).
• Enter guest user credentials (which are configured in the Identity Awareness Gateway object > Identity Awareness page > near the Browser-Based Authentication, click Settings > refer to the Users Access section).
• Click a link to download an Identity Agent (which is configured in the Identity Awareness Gateway object > Identity Awareness page > near the Browser-Based Authentication, click Settings > refer to the Identity Agent Deployment from the Portal section).

Browser-Based Authentication with Captive Portal:

Flow of events for Browser-Based Authentication with Captive Portal:

1. A user (1) wants to access the Internal Data Center (5).
2. Identity Awareness Gateway (2) does not recognize the user and redirects the user's web browser to the Captive Portal (3).
3. The user enters regular office credentials. The credentials can be AD or other Check Point supported authentication methods, such as LDAP, Check Point internal credentials, or RADIUS.
4. The credentials go to the Identity Awareness Gateway, which finds them in the AD server (4).
5. The user can access the requested URL in the Data Center (5).

How Transparent Kerberos Authentication Works

Browser-Based Authentication with Transparent Kerberos Authentication:

Transparent Kerberos Authentication authenticates users by getting authentication data from the web browser without any user input. If authentication is successful, the user goes directly to the specified destination. If authentication fails, the user must enter credentials in the Captive Portal.

Flow of events for Browser-Based Authentication with Transparent Kerberos Authentication:

1. A user wants to access the Internal Data Center.
2. Identity Awareness Gateway does not recognize the user and redirects the user's web browser to the Transparent Authentication page.
3. The Transparent Authentication page asks the web browser to authenticate itself.
4. The web browser gets a Kerberos ticket from Active Directory and presents it to the Transparent Authentication page.
5. The Transparent Authentication page sends the ticket to the Identity Awareness Gateway, which authenticates the user and redirects the user's web browser to the originally requested URL.
6. If Kerberos authentication fails for some reason, Identity Awareness Gateway redirects the user's web browser to the Captive Portal.