Authentication Domain

Authentication domains are important in the authentication process. The authentication domain configuration determines the user authentication mode and user organizational structure.

Overview

Authentication domains have the following functions:

An authentication domain is a user organizational structure container.

Users, user groups, and security groups belong to certain authentication domains. For details, see User Organizational Structure.
An authentication domain determines the user authentication method.

The authentication method in an authentication domain takes effect on remote access users and Internet access users using either user-initiated authentication or redirected authentication. Users in the same authentication domain use the same authentication method (either local authentication or server authentication).

The way for identifying user authentication domain varies depending on scenarios, as shown in Table 1.

**Table 1** Relationship between authentication methods and authentication domains
Authentication Category	Function of Authentication Domain	User's Authentication Domain
Embedded portal authentication (including local and server authentication) for Internet access users and authentication for remote access users	The FW identifies authentication domains in user names and authenticates users by authentication domain. The FW implements local or server authentication on users based on the corresponding authentication domain configuration.	The character string after the at sign (@) specifies the authentication domain to which a user belongs. For example, user user1@bj belongs to the bj authentication domain. If the authentication domain, for example, bj or hz, does not exist, the user cannot log in. If a user name does not contain any at sign (@), the user belongs to the default authentication domain. If a new authentication domain is configured, users will need to suffix their user names with the authentication domain (format: Login Name@Authentication Domain) during login. If the default authentication domain is used, users need to enter only their login names. NOTE: In LDAP and AD server authentication scenarios, if users on the authentication server need to be imported into the FW, the users must be imported to the default authentication domain or domains with the same names on the FW. Otherwise, the users fail to be imported.
SSO for Internet access users	The FW only receives user login and logout messages from the authentication server and does not participate in user authentication. Therefore, the authentication mode set for the authentication domain does not take effect on SSO users. SSO users need to log in to the FW, and the FW needs to implement user-specific control. Therefore, SSO users must also belong to certain authentication domains.	AD SSO: Users preferentially get online in authentication domains on the FW corresponding to those on the AD server. If no corresponding authentication domain exists on the FW, users get online in the default authentication domain. Agile Controller/RADIUS SSO: If user names on the server do not contain at signs (@), the users get online in the default domain. If a user name on the server contains an at sign, the string following the at sign is the user's authentication domain and the user gets online preferentially in the domain with the same name on the FW. If no such domain exists, the user gets online in the default authentication domain.
User-defined Portal authentication (the FW participates in user authentication)	By identifying the authentication domains in user names, the FW distributes the users to be authenticated to corresponding authentication domains. Authentication, accounting, and authorization are implemented for users based on the configurations of the authentication domains.	The character string after the at sign (@) specifies the authentication domain to which a user belongs. For example, user user1@bj belongs to the bj authentication domain. If the authentication domain, for example, bj or hz, does not exist, the user cannot log in. If a user name does not contain any at sign (@), the user belongs to the default authentication domain. If users are not in the default authentication domain, they must enter user names in the "login-name@authentication-domain-name" format for login. If users are in the default authentication domain, they need to enter only the login name for easy memorization during login.
Authentication exemption for Internet access users	The authentication domain is only the top parent group of authentication exemption users.	The FW identifies the authentication domain of a local user based on the user's IP/MAC address binding.
NTLM authentication for Internet access users	The authentication domain is only the parent group of NTLM authentication users.	Users preferentially get online in authentication domain on the FW corresponding to the Windows domain that the user logs in. If no corresponding authentication domain exists on the FW, users get online in the default authentication domain.

User login to the FW is irrelevant to the authorization scheme configured in the authentication domain. If server authentication and local authorization are configured for users, the user can log in to the FW even if they are not added to the FW.

Access Control

The authentication domain can perform access control over different users.

Online behavior management

Performs access control on Internet access users based on security policies, policy-based routes, and traffic policies.
VPN access

Control remote access users, such as SSL, L2TP/L2TP over IPSec, and remote IPSec VPN access users.

Besides, the FW can select authentication domains based on actual conditions to determine whether to implement online behavior management on users. If an authentication domain allows online behavior management on users, the FW implements policy control on remote access users, not requiring secondary authentication. If an authentication domain allows only VPN access, the FW cannot implement policy control on remote access users. In this case, create an online behavior management authentication domain to implement secondary authentication on users.
Administrator access

Performs access control on administrators.

If an authentication domain allows administrator access, it can be used to implement authentication on administrator access.

Authentication Mode and Authentication Server

The authentication domain determines whether to use local authentication or server authentication for authenticating users.

If local authentication is used, a FW verifies user identities and no authentication server is required.
If server authentication is used, you must configure an authentication server on a FW to verify user identities.

Network Parameters

For VPN access users, the FW allocates private IP addresses and network servers for them based on the address pool, DNS server, and DHCP server configured in the authentication domain. After that, users can use the allocated network parameters to access network resources.

For online behavior management authentication domains, the address pool and network server do not need to be configured.

New User Option

A new user is an authenticated user whose information does not exist on a FW. For example, if user names and passwords are created on an AD server, but not on a FW, these users are new users. These users can pass authentication, but their information is not stored on the FW.

The new user option defines a method of adding new users to a FW. The FW processes new users according to any of the following new user options:

Prohibit new internet user login

After this option is selected, the FW deletes the new user option configuration and restores the new user option to the default state.

No default authentication option is configured for new users. The FW processes new users as follows:
- Internet access online user list: The FW does not allow new users to log in.
- Remote access online user list: New users can go online for VPN access. However, the FW cannot complete user-based policy control. To implement user-based policy control, you must configure new user options so that the users going online are included in the online user list.
This function is supported in V600R007C20SPC500 and later versions.
Prohibit New User Login

Addition of users to the local user group of the FW is not allowed. That is, the FW rejects a new user's login requests regardless of whether the authentication server has authenticated this user.
- If an SSL VPN user goes online in a user-defined domain, the SSL VPN user cannot log in successfully.
- If an SSL VPN user goes online in the default domain, the SSL VPN user can still log in and go online.
Use It as a Temporary One and Do Not Add It to the Local User List

The FW treats newly authenticated users as temporary users but does not add them to the local user list. These temporary users inherit the Internet access permission of a group on the FW.

Information about a temporary user takes effect only during one login. The information becomes unavailable after the user goes offline or the FW restarts. The user is identified as a new user upon the next login.

To ensure the user login efficiency, consider new users as temporary users and do not add them to the local user list.