Configuring Browser-Based Authentication
In the Identity Sources section of the Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. page, select Browser-Based Authentication Authentication of users in Check Point Identity Awareness web portal - Captive Portal, to which users connect with their web browser to log in and authenticate. to send unidentified users to the Captive Portal A Check Point Identity Awareness web portal, to which users connect with their web browser to log in and authenticate, when using Browser-Based Authentication..
If you configure Transparent Kerberos An authentication server for Microsoft Windows Active Directory Federation Services (ADFS). Authentication (see Transparent Kerberos Authentication Configuration), the browser tries to identify AD users before sending them to the Captive Portal.
If you already configured the portal in the Identity Awareness Wizard or SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., its URL shows below Browser-Based Authentication.
To configure the Browser-Based Authentication settings:
-
Select Browser-Based Authentication and click Settings.
-
From the Portal Settings window, configure:
-
Portal Network Location
Select if the portal runs on this Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. or a different Identity Awareness Security Gateway. The default is that the Captive Portal is on the Security Gateway. The Security Gateway redirects unidentified users to the Captive Portal on the same Security Gateway. This is the basic configuration.
A more advanced deployment is possible where the portal runs on a different Security Gateway. See the Identity Awareness Deployment section for more details.
-
Access Settings
Click Edit to open the Portal Access Settings window. In this window, you can configure:
-
Main URL - The primary URL that users are redirected to for the Captive Portal. You might have already configured this in the Identity Awareness Configuration wizard.
-
Aliases - Click the Aliases button to Add URL aliases that are redirected to the main portal URL. For example,
ID.yourcompany.com
can send users to the Captive Portal. To make the alias work, it must be resolved to the main URL on your DNS server. -
Certificate - Click Import to import a certificate for the portal website to use. If you do not import a certificate, the portal uses a Check Point auto-generated certificate. This can cause browser warnings if the browser does not recognize Check Point as a trusted Certificate Authority. See Server Certificates for more details.
-
Accessibility - Click Edit to select from where the portal can be accessed. You might have already configured this in the Identity Awareness Wizard. The options are based on the topology configured for the Security Gateway.
-
Select how users are sent to the Captive Portal, if they use networks connected to these interfaces:
-
Through all interfaces
-
Through internal interfaces
-
Including undefined internal interfaces
-
Including DMZ internal interfaces
-
Including VPN Encrypted interfaces - Interfaces used for establishing route-based VPN tunnels (VTIs)
-
-
According to the Firewall policy - Select this if there is a rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. that states who can access the portal.
-
-
-
Authentication Settings
Click Settings to open the Authentication Settings window. In this window you can configure:
-
Browser transparent Single Sign-On
Select Automatically authenticate users from computers in the domain if Transparent Kerberos Authentication is used to identify users.
-
Main URL: The URL used to begin the SSO process. If transparent authentication fails, users are redirected to the configured Captive Portal. This URL contains the DNS name or IP address of Identity Awareness Gateway.
Note - The Identity Agent Check Point dedicated client agent installed on Windows-based user endpoint computers. This Identity Agent acquires and reports identities to the Check Point Identity Awareness Security Gateway. The administrator configures the Identity Agents (not the end users). There are two types of Identity Agents - Full and Light. You can download the Full and Light Identity Agent package from the Captive Portal - 'https://<Gateway_IP_Address>/connect' or from Support Center. download link and the Automatic Logout option are ignored when Transparent Kerberos Authentication SSO is successful. This is so because users do not see the Captive Portal..
-
-
Authentication Method
Select one method that known users must use to authenticate.
-
Defined on user record (Legacy Authentication) - Takes the authentication method from Gateway Object Properties > Other > Legacy Authentication.
-
User name and password - This can be configured internally or on an LDAP server.
-
RADIUS - A configured RADIUS server. Select the server from the list.
-
-
User Directories
Select one or more places where the Security Gateway searches to find users when they try to authenticate.
-
Internal users - The directory of internal users.
-
LDAP users - The directory of LDAP users. Either:
-
Any - Users from all LDAP servers.
-
Specific - Users from an LDAP server that you select.
-
-
External user profiles - The directory of users who have external user profiles.
-
The default is that all user directory options are selected. You might choose only one or two options if users are only from a specified directory or directories and you want to maximize Security Gateway performance when users authenticate. Users with identical user names must log in with domain\user.
-
-
Customize Appearance
Click Edit to open the Portal Customization window and edit the images that users see in the Captive Portal. Configure the labeled elements of the image below.
-
User Access
Configure what users can do in the Captive Portal to become identified and access the network.
Name and password loginUsers are prompted to enter an existing username and password. This will only let known users authenticate.
Click Settings to configure settings for known users after they enter their usernames and passwords successfully.
-
Access will be granted for xxx minutes - For how long can they access network resources before they have to authenticate again.
-
Ask for user agreement - You can require that users sign a user agreement. Click Edit to upload an agreement. This option is not selected by default because a user agreement is not usually necessary for known users.
-
Adjust portal settings for specific user groups - You can add user groups and give them settings that are different from other users. Settings specified for a user group here override settings configured elsewhere in the Portal Settings. The options that you configure for each user group are:
-
If they must accept a user agreement.
-
If they must download an Identity Agent and which one.
-
If they can defer the Identity Agent installation and until when.
-
You can only configure settings for Identity Agent deployment if Identity Agents is selected on the Identity Awareness page.
Unregistered guests loginLet guests who are not known by the Security Gateway access the network after they enter required data.
Click Settings to configure settings for guests.
-
Access will be granted for xxx minutes - For how long can they access network resources before they have to authenticate again.
-
Ask for user agreement - Makes users sign a user agreement. Click Edit to choose an agreement and the End-user Agreement Settings page opens. Select an agreement to use:
-
Default agreement with this company name - Select this to use the standard agreement. See the text in the Agreement preview. Replace Company Name with the name of your company. This name is used in the agreement.
-
Customized agreement - Paste the text of a customized agreement into the text box. You can use HTML code.
-
-
Login Fields - Edit the table shown until it contains the fields that users complete in that sequence. Select Is Mandatory for each field that guests must complete before they can get access to the network. To add a new field, enter it in the empty field and then click Add. Use the green arrows to change the sequence of the fields. The first field will show the user name in Logs & Monitor > Logs.
-
-
Identity Agent Deployment from the Portal
If Identity Agents is selected as a method to acquire identities, you can require users to download the Identity Agent from the Captive Portal. You can also let users install the Identity Agent on a specified later date and not right away
-
Require users to download - Select this to make users install the Identity Agent. Select which Identity Agent they must install. If this option is selected and the defer option is not selected, users are not able to access the network if they install the Identity Agent.
-
Users may defer installation until - Select to give users flexibility to choose when to install the Identity Agent. Select the date by which they must install it. Until that date a Skip Identity Agent installation option shows in the Captive Portal.
-
Note - When you enable Browser-Based Authentication on an IPSO Security Gateway that is on an IP Series appliance, make sure to set the Voyager management application port to a port other than 443 or 80.
-