< Home

Authentication Policy

Authentication policies determine which data flows need to undergo portal authentication and authentication exemption.

By default, the FW does not authenticate passing-by data flows. Authentication policies are required to filter data flows that require authentication. An authentication policy takes effect on the following authentication modes:

The following types of traffic do not trigger authentication even if they match the specified authentication policy:

  • Traffic destined for or originated by the FW
  • DHCP, BGP, OSPF, and LDP packets
  • The corresponding DNS packet of an HTTP service data flow that triggers authentication is not controlled by the specified authentication policy. After the user is authenticated and logs in, the DNS packet is controlled by the authentication policy.

Policy Contents

An authentication policy is a set of authentication rules that determine whether to implement authentication on a data flow.

An authentication rule consists of conditions and an action. Conditions used by a FW to match packets are as follows:

  • Source zone

  • Destination zone

  • Source address/region

  • Destination address/region

An action indicates how a FW processes packets. Possible actions are as follows:

  • Portal authentication

    Portal authentication is implemented on data flows that meet conditions.

  • Authentication exemption

    Authentication exemption is implemented on data flows that meet conditions. The FW identifies user identities by other means. This action applies to the following scenarios:

    • For top executives, having to be authenticated to obtain network access is undesirable. However, top executives have access to confidential data and therefore need higher information security than common users. You bidirectionally can bind top executives and IP or MAC addresses and configure the FW not to implement authentication on the data flows of top executives when they access network resources using the specified IP or MAC addresses. The FW identifies IP addresses in data flows based on the mappings between users and IP or MAC addresses.
    • In an AD/Agile Controller/RADIUS SSO scenario, the FW has obtained user information from another authentication system and therefore exempts SSO users from authentication.

  • No authentication

    No authentication is implemented on data flows that meet conditions. This action applies to the following scenarios:

    • Data flows, such as data flows between intranets do not require to be authenticated by the FW either.
    • In an AD/Agile Controller/RADIUS SSO scenario, a FW does not implement authentication on the data flows between users and the authentication server.

  • Anonymous authentication

    Anonymous authentication is implemented on data flows that matches the policy. The user can be authenticated without entering the user name or password. In this case, the FW identifies the user by IP address.

Matching Sequence

The FW matches packets with multiple authentication rules from top to bottom, as shown in Figure 1. If the attributes of a packet match all the conditions of an authentication rule, the rule is successfully matched, and the FW does not match the packet with other rules. If no rule is matched, the FW applies the default authentication policy to the packet.

Figure 1 Matching sequence of authentication policies

The FW has a default authentication policy with all matching conditions set to any and the action set to No authentication.

Parent Topic: User Authentication
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >