Use Users and Groups in Policies

When you create policies in your Firebox configuration file, you can use specified user and group names. For example, you can define policies that only allow connections for authenticated users, or you can limit connections on a policy to particular users.

An authenticated user can send traffic through the Firebox only if the traffic is allowed by a policy on the Firebox.

Define Users and Groups for Firebox Authentication 

If you want to use your Firebox as an authentication server, you can specify the users and groups that can authenticate to the Firebox. For instructions to define these users and groups, go to Define a New User for Firebox Authentication and Define a New Group for Firebox Authentication.

Define Users and Groups for Third-Party Authentication

In your Firebox configuration file, you can define the users and groups to use for third-party authentication. When you create a group, if you use more than one Active Directory domain for authentication, you must specify the domain that you want users in the group to use to authenticate.

For both individual users and user groups, you can also enable login limits. When you enable unlimited concurrent logins for a user or group, you allow more than one user or member of a group to authenticate with the same user credentials at the same time, to one authentication server. This is useful for guest accounts or in laboratory environments. When the second user logs in with the same credentials, the first user authenticated with the credentials is automatically logged out. The other option you can select for user and group login limits is to limit your users or members of a group to a single authenticated session. If you select this option, your users cannot log in to one authentication server from different IP addresses with the same credentials. When a user is already authenticated and tries to authenticate again, you can select whether the first user session is terminated when the additional session is authenticated, or if the additional session is rejected.

User and group names on your Active Directory server are case-sensitive. When you add a user or group to your Firebox, the user or group name must have the same capitalization used in the name on the Active Directory server.

If you use Active Directory authentication and the group membership for a user does not match your Mobile VPN policy, you can see an error message that says Decrypted traffic does not match any policy. If you see this error message, make sure that the user is in a group with the same name as your Mobile VPN group.

If a user is already logged in when you add a new group to the Firebox configuration, the user is not associated with that group by the Firebox until the next time the user logs in to the Firebox.

To limit concurrent user sessions for mobile VPN users, you must use Mobile VPN with IKEv2 and Firebox-DB user accounts. You cannot limit concurrent user sessions for Mobile VPN with IKEv2 users with accounts on third-party authentication servers. You cannot limit concurrent user sessions for Mobile VPN with L2TP, Mobile VPN with SSL, or Mobile VPN with IPSec users with Firebox-DB accounts or accounts on third-party authentication servers.

.

  1. Select Authentication > Users and Groups to create a group on your third-party authentication server that contains all the user accounts on your system.
    The Users and Groups page opens.

Screen shot of the Authentication Users and Groups page

  1. Unlock the page, if required.
  2. Click Add.
    The Add User or Group dialog box opens.

Screen shot of the Users and Groups dialog box

  1. For the Type option, select Group or User.
  2. In the Name text box, type the name of the group or user in the adjacent text box. The name must be the same as the name of a group or user in your authentication server.
    The user or group name is case-sensitive and must match the capitalization used on the authentication server.
  3. (Optional) In the Description text box, type a description of the new user.
  4. From the Authentication Server drop-down list, select the authentication server where the user or group exists.
  5. (Optional)To enable login limits, select the Enable login limits for each user or group check box and follow the instructions in the next sections to select an option:
  6. (Optional) In Fireware v12.9 or higher, you can Enable Network Access Enforcement. For more information, go to Network Access Enforcement Overview.
  7. Click Add.
  1. Create a group on your third-party authentication server that contains all the user accounts on your system.
  2. Select Setup > Authentication > Users and Groups.
    The Users and Groups dialog box opens.

Screen shot of the Authorized Users and Groups dialog box

  1. Click Add.
    The Add User or Group dialog box opens.

Screen shot of the Define New Authorized User or Group dialog box

  1. For the Type option, select Group or User.
  2. Type a user or group name that you created on the authentication server.
    The user or group name is case-sensitive and must match the capitalization used on the authentication server.
  3. (Optional) Type a description for the user or group.
  4. From the Authentication Server drop-down list, select your authentication server.

    Select RADIUS for authentication through a RADIUS or VACMAN Middleware server, or Any for authentication through any other server. For Active Directory authentication, select the specific domain to use for this user or group.

  5. (Optional) To enable login limits, select the Enable login limits for each user or group check box and follow the instructions in the next sections to select an option:
  6. (Optional) In Fireware v12.9 or higher, you can Enable Network Access Enforcement. For more information, go to Network Access Enforcement Overview.
  7. Click OK.

Allow Unlimited Concurrent Login Sessions

You can allow more than one user to authenticate with the same user credentials at the same time, to one authentication server. This is useful for guest accounts or in laboratory environments. When the second user logs in with the same credentials, the first user authenticated with the credentials is automatically logged out. If you do not allow this feature, a user cannot authenticate to the authentication server more than once at the same time.

To allow unlimited concurrent login sessions for your users:

  1. Select the Enable login limits for each user or group check box.
  2. Select Allow unlimited concurrent firewall authentication logins from the same account.

Limit Login Sessions

You can limit your users to a specific number of authenticated sessions. If you select this option, you can specify the number of times your users can use the same credentials to log in to one authentication server from different IP addresses. When a user is authenticated and tries to authenticate again, you can select whether the first user session is terminated when an additional session is authenticated, or if the additional sessions are rejected.

You can configure login session limits at the global, group, and user level.

  • User settings take precedence over the group and global settings.
  • If user's login session limits are not configured, group settings take precedence, if configured.
  • If a user belongs to more than one group, the settings for the first group in the user's group list takes precedence.
  • If user or group login session limits are not configured, the global settings are used.

To limit login sessions for your users:

  1. Select the Enable login limits for each user or group check box.
  2. Select Limit concurrent user sessions to.
  3. In the text box, type or select the number of allowed concurrent user sessions.
  4. From the drop-down list, select an option:
    • Reject subsequent login attempts
    • Allow subsequent login attempts and logoff the first session.

Add Users and Groups to Policy Definitions 

Any user or group that you want to use in your policy definitions must be added as a user. All users and groups you create for Firebox authentication, and all Mobile VPN users, are automatically added to the list of users and groups on the Users and Groups dialog box. You can add any users or groups from third-party authentication servers to the user and group list with the previous procedure. You are then ready to add users and groups to your policy configuration.

  1. Select Firewall > Firewall Policies.
    The Firewall Policies page opens.
  2. Select a policy from the list and click Action > Edit Policy.
    Or, double-click a policy.
    The Policy Configuration page opens.
  3. Below the From list, click Add.
    The Add Member dialog box opens.
  4. From the Member Type drop-down list, select Firewall User.
    The list of available users opens.

Screen shot of the Add Member dialog box with the Firewall User member type selected

If your user or group does not show in the Groups list, go to Define a New User for Firebox Authentication, Define a New Group for Firebox Authentication, or the previous Define users and groups for third-party authentication procedure, and add the user or group.

  1. Select a user and click OK.
  1. Select the Firewall tab.
  2. Double-click a policy.
    The Edit Policy Properties dialog box opens.
  3. On the Policy tab, below the From list, click Add.
    The Add Address dialog box opens.
  4. Click Add User.
    The Add Users or Groups dialog box opens.

Screen shot of the Add Authorized Users or Groups dialog box

  1. From the left Type drop-down list, select whether the user or group is authorized with Firewall, SSLVPN, L2TP, or IKEv2 authentication.
    For more information on these authentication types, go to Types of Firebox Authentication.
  2. From the right Type drop-down list, select either User or Group.
  3. If your user or group opens in the Groups list, select the user or group and click Select.
    The Add Address dialog box reopens with the user or group in the Selected Members or Addresses box.

If your user or group does not show in the Groups list, go to Define a New User for Firebox Authentication, Define a New Group for Firebox Authentication, or the previous Define users and groups for third-party authentication procedure, and add the user or group.

  1. Click OK to close the Edit Policy Properties dialog box.

After you add a user or group to a policy configuration, the WatchGuard Authentication policy is automatically added to your Firebox configuration file. This policy controls access to the Authentication Portal web page. For instructions to edit this policy, go to Use Authentication to Restrict Incoming Connections.

For one example of how you can configure Firebox policies for different users or groups, go to Configure WebBlocker Actions for Groups with Active Directory Authentication.

Related Topics

About Third-Party Authentication Servers

Set Access Rules for a Policy