Acquiring Identities with Browser-Based Authentication

Browser-Based Authentication lets you acquire identities from unidentified users such as:

• Managed users connecting to the network from unknown devices such as Linux computers or iPhones.
• Unmanaged, guest users such as partners or contractors.

If unidentified users try to connect to resources in the network that are restricted to identified users, they are automatically sent to the Captive Portal. If Transparent Kerberos Authentication is configured, the browser will attempt to identify users that are logged into the domain using SSO before it shows the Captive Portal.

Scenario: Recognized User from Unmanaged Device

The CEO of ACME recently bought her own personal iPad. She wants to access the internal Finance Web server from her iPad. Because the iPad is not a member of the Active Directory domain, she cannot identify seamlessly with AD Query. However, she can enter her AD credentials in the Captive Portal and then get the same access as on her office computer. Her access to resources is based on rules in the Firewall Rule Base.

Required SmartConsole Configuration

To make this scenario work, the IT administrator must:

1. Enable Identity Awareness Software Blade on a Security Gateway.
2. Select Browser-Based Authentication as one of the Identity Sources, and click Settings.
3. In the Portal Settings window in the User Access section, make sure that Name and password login is selected.
4. Create a new rule in the Rule Base to let Linda Smith access network destinations. Select accept as the Action.
5. Right-click the Action column and select More.

   The Action Settings window opens.

6. Select Enable Identity Captive Portal.
7. Click OK.
8. From the Source of the rule, right-click to create an Access Role.
   1. Enter a Name for the Access Role.
   2. In the Users page, select Specific users and choose Linda Smith.
   3. In the Machines page, make sure that Any machine is selected.
   4. Click OK.

      The Access Role is added to the rule.

      Name	Source	Destination	VPN	Service	Action	Track
      CEO Access	Linda Smith	Finance_Server	Any Traffic	http	Accept (Enable Identity Captive Portal)	Log

User Experience

Jennifer McHanry does these steps:

1. Browses to the Finance server from her iPad.

   The Captive Portal opens because she is not identified and therefore cannot access the Finance Server.

2. She enters her usual system credentials in the Captive Portal.

   A Welcome to the network window opens.

3. She can successfully browse to the Finance server.

User Identification in the Logs

The log entry in the Logs tab of the Logs & Monitor view shows how the system recognizes Daniel David from his iPad. This uses the identity acquired from Captive Portal.

Scenario: Guest Users from Unmanaged Device

Guests frequently come to the ACME company. While they visit, the CEO wants to let them access the Internet on their own laptops.

Amy, the IT administrator configures the Captive Portal to let unregistered guests log in to the portal to get network access. She makes a rule in the Rule Base to let unauthenticated guests access the Internet only.

When guests browse to the Internet, the Captive Portal opens. Guests enter their name, company, email address, and phone number in the portal. They then agree to the terms and conditions written in a network access agreement. Afterwards, they are given access to the Internet for a specified time.

Required SmartConsole Configuration

To make this scenario work, the IT administrator must:

1. Enable Identity Awareness Software Blade on a Security Gateway.
2. Select Browser-Based Authentication as one of the Identity Sources, and click Settings.
3. In the Portal Settings window in the Users Access section, make sure that Unregistered guest login is selected.
4. Click Unregistered guest login - Settings.
5. In the Unregistered Guest Login Settings window, configure:
   • The data guests must enter.
   • For how long users can access the network resources.
   • If a user agreement is required and its text.
6. Create an Access Role rule in the Rule Base, to let identified users access the Internet from the organization:
   1. Right-click Source and select Access Role.
   2. In the Users tab, select All identified users.
7. Create an Access Role rule in the Rule Base, to let Unauthorized Guests access only the Internet:
   1. Right-click Source and select Access Role.
   2. In the Users tab, select Specific users > Unauthenticated Guests.
   3. Select accept as the Action.
   4. Right-click the Action column and select Edit Properties.

      The Action Properties window opens.

   5. Select Enable Identity Captive Portal.
   6. Click OK.

User Experience

From the perspective of a guest at ACME, she does these steps:

1. Browses to an internet site from her laptop.

   The Captive Portal opens because she is not identified and therefore cannot access the Internet.

2. She enters her identifying data in the Captive Portal and reads through and accepts a network access agreement.

   A Welcome to the network window opens.

3. She can successfully browse to the Internet for a specified time.