Related Topics
Use Users and Groups in Policies
When you create policies in your Firebox configuration file, you can use specified user and group names. For example, you can define policies that only allow connections for authenticated users, or you can limit connections on a policy to particular users.
An authenticated user can send traffic through the Firebox only if the traffic is allowed by a policy on the Firebox.
Define Users and Groups for Firebox Authentication
If you want to use your Firebox as an authentication server, you can specify the users and groups that can authenticate to the Firebox. For instructions to define these users and groups, see Define a New User for Firebox Authentication and Define a New Group for Firebox Authentication.
Define Users and Groups for Third-Party Authentication
In your Firebox configuration file, you can define the users and groups to use for third-party authentication. When you create a group, if you use more than one Active Directory domain for authentication, you must specify the domain that you want users in the group to use to authenticate.
For both individual users and user groups, you can also enable login limits. When you enable unlimited concurrent logins for a user or group, you allow more than one user or member of a group to authenticate with the same user credentials at the same time, to one authentication server. This is useful for guest accounts or in laboratory environments. When the second user logs in with the same credentials, the first user authenticated with the credentials is automatically logged out. The other option you can select for user and group login limits is to limit your users or members of a group to a single authenticated session. If you select this option, your users cannot log in to one authentication server from different IP addresses with the same credentials. When a user is already authenticated and tries to authenticate again, you can select whether the first user session is terminated when the additional session is authenticated, or if the additional session is rejected.
User and group names on your Active Directory server are case-sensitive. When you add a user or group to your Firebox, the user or group name must have the same capitalization used in the name on the Active Directory server.
If you use Active Directory authentication and the group membership for a user does not match your Mobile VPN policy, you can see an error message that says Decrypted traffic does not match any policy. If you see this error message, make sure that the user is in a group with the same name as your Mobile VPN group.
If a user is already logged in when you add a new group to the Firebox configuration, the user is not associated with that group by the Firebox until the next time the user logs in to the Firebox.
- Create a group on your third-party authentication server that contains all the user accounts on your system.
- Select Authentication > Users and Groups.
The Authentication Users and Groups page appears.
- Click Add.
The Add User or Group dialog box appears.
- For the Type option, select Group or User.
- Type a user or group name that you created on the authentication server.
The user or group name is case-sensitive and must match the capitalization used on the authentication server. - (Optional) Type a description for the user or group.
- From the Authentication Server drop-down list, select your authentication server.
- To enable login limits, select the Enable login limits for each user or group check box and follow the instructions in the next sections to select an option:
- Click Add.
- Create a group on your third-party authentication server that contains all the user accounts on your system.
- Select Setup > Authentication > Users and Groups.
The Users and Groups dialog box appears.
- Click Add.
The Add User or Group dialog box appears.
- For the Type option, select Group or User.
- Type a user or group name that you created on the authentication server.
The user or group name is case-sensitive and must match the capitalization used on the authentication server. - (Optional) Type a description for the user or group.
- From the Authentication Server drop-down list, select your authentication server.
Select RADIUS for authentication through a RADIUS or VACMAN Middleware server, or Any for authentication through any other server. For Active Directory authentication, select the specific domain to use for this user or group.
- To enable login limits, select the Enable login limits for each user or group check box and follow the instructions in the next sections to select an option:
- Click OK.
Select RADIUS for authentication through a RADIUS or VACMAN Middleware server, or Any for authentication through any other server. For Active Directory authentication, select the specific domain to use for this user or group.
- To enable login limits, select the Enable login limits for each user or group check box and follow the instructions in the next sections to select an option:
- Click OK.
Allow Unlimited Concurrent Login Sessions
You can allow more than one user to authenticate with the same user credentials at the same time, to one authentication server. This is useful for guest accounts or in laboratory environments. When the second user logs in with the same credentials, the first user authenticated with the credentials is automatically logged out. If you do not allow this feature, a user cannot authenticate to the authentication server more than once at the same time.
To allow unlimited concurrent login sessions for your users:
- Select the Enable login limits for each user or group check box.
- Select Allow unlimited concurrent firewall authentication logins from the same account.
Limit Login Sessions
You can limit your users to a specific number of authenticated sessions. If you select this option, you can specify the number of times your users can use the same credentials to log in to one authentication server from different IP addresses. When a user is authenticated and tries to authenticate again, you can select whether the first user session is terminated when an additional session is authenticated, or if the additional sessions are rejected.
To limit login sessions for your users:
- Select the Enable login limits for each user or group check box.
- Select Limit concurrent user sessions to.
- In the text box, type or select the number of allowed concurrent user sessions.
- From the drop-down list, select an option:
- Reject subsequent login attempts
- Allow subsequent login attempts and logoff the first session.
Add Users and Groups to Policy Definitions
Any user or group that you want to use in your policy definitions must be added as a user. All users and groups you create for Firebox authentication, and all Mobile VPN users, are automatically added to the list of users and groups on the Users and Groups dialog box. You can add any users or groups from third-party authentication servers to the user and group list with the previous procedure. You are then ready to add users and groups to your policy configuration.
- Select Firewall > Firewall Policies.
The Firewall Policies page appears. - Select a policy from the list and click Action > Edit Policy.
Or, double-click a policy.
The Policy Configuration page appears. - Below the From list, click Add.
The Add Member dialog box appears. - From the Member Type drop-down list, select Firewall User.
The list of available users appears.
If your user or group does not appear in the Groups list, see Define a New User for Firebox Authentication, Define a New Group for Firebox Authentication, or the previous Define users and groups for third-party authentication procedure, and add the user or group.
- Select a user and click OK.
- Select the Firewall tab.
- Double-click a policy.
The Edit Policy Properties dialog box appears. - On the Policy tab, below the From list, click Add.
The Add Address dialog box appears. - Click Add User.
The Add Authorized Users or Groups dialog box appears.
- From the left Type drop-down list, select whether the user or group is authorized with Firewall, SSLVPN, L2TP, or IKEv2 authentication.
For more information on these authentication types, see Types of Firebox Authentication. - From the right Type drop-down list, select either User or Group.
- If your user or group appears in the Groups list, select the user or group and click Select.
The Add Address dialog box reappears with the user or group in the Selected Members or Addresses box.
If your user or group does not appear in the Groups list, see Define a New User for Firebox Authentication, Define a New Group for Firebox Authentication, or the previous Define users and groups for third-party authentication procedure, and add the user or group.
- Click OK to close the Edit Policy Properties dialog box.
After you add a user or group to a policy configuration, the WatchGuard Authentication policy is automatically added to your Firebox configuration file. This policy controls access to the Authentication Portal web page. For instructions to edit this policy, see Use Authentication to Restrict Incoming Connections.
For one example of how you can configure Firebox policies for different users or groups, see Configure WebBlocker Actions for Groups with Active Directory Authentication.