< Home

User Access Scenarios

This section describes the various scenarios in which users access network resources. Each scenario requires users to perform specified operations to be authenticated before they access network resources.

Internet Access Users Access Network Resources in the Portal Authentication Scenario

In the portal authentication scenario, Internet access users can access network resources only after being authenticated by a FW. Authentication modes are as follows:

  • Redirected authentication

    Redirected authentication applies to Internet access users who access HTTP services using web browsers. For example, a user uses the Internet Explorer to access www.example.org. After receiving the user's access request, the FW pushes a web authentication page to the user. Then the Internet Explorer displays an authentication page.

    • User name and password authentication: Enter your user name and password.

      After the users are authenticated, users can change their passwords or log out of the system on the authentication web pages.

      Users are automatically logged out after the timeout period expires. Users can also click Logout on the authentication web pages to log out of the system at any time.

    After the users are authenticated, their browsers may display authentication web pages or redirect them to the requested web pages or a specified web page.

  • User-initiated authentication

    Before accessing network resources, Internet access users use browsers to access the authentication web pages of the FW.

    • User name and password authentication: Access http://Interface IP Address:Authentication Port or https://Interface IP Address:Authentication Port. For example, a user uses the Internet Explorer to access https://10.3.0.1:8887. 10.3.0.1 is the IP address of the inside interface on the FW, and 8887 is the authentication port. Then the Internet Explorer displays an authentication page, prompting the user to enter a user name and password.

      After the users are authenticated, users can change their passwords or log out of the system on the authentication web pages.

      Users are automatically logged out after the timeout period expires. Users can also click Logout on the authentication web pages to log out of the system at any time.

  • The password change function on the authentication web page takes effect only for the users on which local authentication is implemented. The new password cannot contain any spaces or question marks (?) and must meet the requirements on password strength.

  • If the administrator has set the password validity period and expiration notification time and a user logs in within the expiration notification time, the system redirects the user to the password expiration notification page for password change.

  • If the administrator uses the default authentication domain to authenticate users, users need to enter only their Login Name to log in. If the administrator create new authentication domains, users must enter the Login Name@Authentication Domain to log in.

Internet Access Users Access Network Resources in the AD SSO Scenario

In the AD SSO scenario, Internet access users use their domain accounts to log in to the AD domain. Once logged in, the users can access network resources without a second authentication.

If the idle period of a user expires, the user must log in to the AD domain and be authenticated to access network resources.

Once a user logs out of the AD domain, the user also logs out of the FW.

Internet Access Users Access Network Resources in the Agile Controller SSO Scenario

In the Agile Controller SSO scenario, Internet access users use their Agile Controller accounts and passwords to log in to the Agile Controller. Once logged in, the users can access network resources without a second authentication.

Agile Controller SSO supports two authentication modes:

  • Users proactively access the Agile Controller portal authentication page.
  • If you have configured an authentication policy and set the user-defined portal authentication page as the Agile Controller authentication page, the users can access HTTP services to trigger the FW to push the Agile Controller portal authentication page.

If the idle period of a user expires, the user must log in to the Agile Controller server and be authenticated to access network resources.

Once a user logs out of the Agile Controller system, the user also logs out of the FW.

Internet Access Users Access Network Resources in the RADIUS SSO Scenario

In the RADIUS SSO scenario, Internet access users use their RADIUS accounts to log in to the RADIUS server. Once logged in, the users can access network resources without a second authentication.

If the idle period of a user expires, the user must log in to the RADIUS server and be authenticated to access network resources.

Once a user logs out of the RADIUS server, the user also logs out of the FW.

Remote Access Users Access Intranet Resources Using SSL VPN

Remote access users use browsers to access the authentication pages of an SSL VPN and enter user names and passwords for authentication.

Once a user logs out on the authentication page of an SSL VPN, the user also logs out of the FW.

Remote Access Users Access Intranet Resources Using L2TP VPN

The following description of L2TP VPN access also applies to the scenario where remote access users connect to a FW using L2TP over IPSec VPN to access intranet resources.

User operations involved in using L2TP VPN to access the FW are dependent on how an L2TP tunnel is established.

  • Automatic LAC dial-up

    No user operation is required during the establishment of an L2TP tunnel. After the L2TP tunnel is established, if FW authentication is required before users are allowed access network resources, users need to choose user-initiated authentication or redirected authentication. The user operations are similar to those in Internet Access Users Access Network Resources in the Portal Authentication Scenario.

  • NAS-initiated/Client-initiated

    Remote access users enter their user names and passwords to trigger the establishment of L2TP tunnels. After L2TP tunnels are established, users can access intranet resources without a second authentication, or if a second authentication is required, they can choose user-initiated authentication or redirected authentication. The user operations are similar to those in Internet Access Users Access Network Resources in the Portal Authentication Scenario.

Remote Access Users Access Intranet Resources Using IPSec VPN (EAP Authentication)

Other modes for establishing IPSec VPN tunnels do not involve user authentication. After a tunnel is established, if FW authentication is required before users are allowed to access network resources, the operation method is the same as that in Internet Access Users Access Network Resources in the Portal Authentication Scenario.

For IPSec VPN access users using EAP authentication, the IPSec tunnel establishment requires RADIUS server authentication. After a tunnel is established, if second authentication is not required before users are allowed to access network resources, the users can access network resources directly. If second authentication is required, you can select user-initiated authentication or redirected authentication accordingly. The operation method is the same as that in Internet Access Users Access Network Resources in the Portal Authentication Scenario.

Parent Topic: User and User Authentication
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >