Authentication profiles
Authentication profiles define how SafeLinx interacts with the authentication server specified in a DSS to authenticate login credentials for HTTP access services or mobile access VPN connections.
An authentication profile defines a set of configuration properties that control the way that clients are authenticated through a third-party server. You can use the default System profile, or you can create your own profile to enforce specific settings for an individual service.
After you create an authentication profile, you assign it to a connection profile or HTTP access services. Messaging connections, such as short message service (SMS) mobile network connections (MNCs), do not use authentication profiles.
- RADIUS
-
Authenticates a client by using remote authentication dial-in user service (RADIUS). For RADIUS profiles that control access to mobile access services, you can optionally require that the SafeLinx Server challenges SafeLinx Client users for their RADIUS user ID and password. If you do not require separate RADIUS credentials, the authentication request is completed with the credentials that the SafeLinx Client user submits to log in to the SafeLinx Server. If the challenge is not validated, or if the RADIUS authentication fails, an error message is sent to the client.
RADIUS authentication profiles that control access to HTTP access services support authentication chaining with LDAP authentication profiles. When you link a RADIUS authentication profile to an LDAP profile, SafeLinx processes a RADIUS authentication only after it verifies a user's LDAP credentials.
- LDAP-bind
- Authenticates a client through LDAP-bind (lightweight directory access protocol) authentication. You can specify the user attributes that the service looks for when it attempts to validate user credentials. For example, in deployments that use Microsoft Active Directory Server, you might specify SAMAccountName in the User key field of authentication profile, and UserAccountControl in the LDAP attribute used for lock status field. After the LDAP-bind operation completes and the key field is associated with a distinguished name, the client is authenticated. If the LDAP-bind operation fails, an error message is sent to the client. If you specify System authentication in addition to LDAP-bind, the client is challenged to present credentials (user ID and password) twice.
- Certificate-based
- Challenges a client for valid credentials by using stored X.509 certificates. If the certificate verification operation fails, an error message is sent to the client. Certificate-based authentication profiles are for use with connection profiles only. You cannot use a certificate-based authentication profile with an HTTP access service. To configure certificate-based authentication for an HTTP access service, you edit the properties of the configured LDAP-bind authentication profile, and the properties of the HTTP access service. For information about using client certificate authentication with HTTP access services, see Client certificate authentication for HTTP access services.
You can chain together multiple authentication profiles (for example, LDAP-bind and Certificates, RADIUS and LDAP-bind, Certificates and SecureID, or Windows™ Integrated Login and Certificates). Chaining authentication profiles enforces an extra level of authentication before a user is granted access to the internal network. To specify the secondary authentication methods to chain to a primary authentication profile, edit the properties of a connection profile from the SafeLinx Administrator. On the Security page, select the profile names in the Additional authentication profiles field.