NGFW supported authentication methods with external directory servers
- Article Number: 000010152
- Products: Next Generation Firewall (NGFW)
- Version: 6.4, 6.3, 6.2, 6.1, 6.0, 5.9, 5.8, 5.7, 5.5, 5.4, 5.3, 5.10, 5.1, 5.0
- Last Published Date: March 07, 2018
What authentication methods are supported with external directory servers?
NGFW can be integrated with an external LDAP directory such as Active Directory or OpenLDAP, to allow external users to authenticate to the firewall. The same integration can be done in SMC to allow it to browse the directory, and utilize users and groups in security policies.
In versions 6.3 and lower, the NGFW supports only RADIUS and TACACS+ based authentication methods. For example, with Active Directory this means NPS and IAS authentication. LDAP based authentication (LDAP bind) against the userPassword user attribute in external LDAP server is not supported. LDAP authentication is indicated in SMC by the User Password authentication method, and can only be used with InternalDomain users.
Since NGFW supports RADIUS, any two-factor authentication that is based on RADIUS can also be used. The Access-Challenge RADIUS response is also supported. For example, RSA Next Token Code and New PIN modes can also be used.
The NGFW product guide states you can update the LDAP schema on the external server with SMC specific attributes. However doing this does not allow you to authenticate with the LDAP userPassword attribute. If the schema is modified it allows the administrator to set the sgpassword attribute for users through the SMC. The User Password authentication method can then be used on the firewall to authenticate users via LDAP against the sgpassword attribute. The sgpassword attribute is not synced with the userPassword attribute in any way, and the passwords must always be set and changed via SMC.
In version 6.4 and higher, new LDAP Authentication method was introduced. When this authentication method is used, the user’s password is checked against the user’s credentials in the LDAP server that is used for user storage. To accomplish this, the NGFW Engine does an LDAP bind to check the credentials from the LDAP server. This eliminates the need for RADIUS server such as NPS.
Important Encryption is strongly recommended when the LDAP Authentication method is used, as with plain LDAP the credentials are transmitted in clear-text. Generally, StartTLS can be used over port 389 or LDAPS over port 636.