Menu Reference / User Authentication
Parent topic: User Authentication

Technical background and preparations

The purpose of user authentication

User authentication can be used to assign firewall rules to users when they log in. Only one user can be logged in per IP address. If a user logs in from an IP address that is already being used for a session, the previously logged in user is logged out and the new user is logged in.

Logging in to the firewall

The LANCOM R&S®Unified Firewall operates a separate web server for the exclusive purpose of user logins. This receives the user name and password. A local user database created on your LANCOM R&S®Unified Firewall is used by an authentication service to verify the user name and password. If this login fails and a Microsoft Active Directory server or an OpenLDAP server are configured in the LANCOM R&S®Unified Firewall, the authentication service additionally contacts these directory servers via the Kerberos protocol and tries to authenticate the user. If authentication succeeds, the firewall rules for this user are assigned to the IP addresses where the request was sent from.

Users registered in the local database of your LANCOM R&S®Unified Firewall can change their passwords via the web server. The password can consist of up to 248 characters. Longer passwords can be accepted but are truncated automatically.

Some computers can be excluded from user authentication, for example terminal servers used by many users concurrently or servers that only administrators can login to. In these cases, the web server and authentication service do not accept user logins from the IP addresses of these computers.

Since all users of a terminal server have the same IP address, your LANCOM R&S®Unified Firewall cannot identify the individual users on the network. To get around this problem, Microsoft offers Remote Desktop IP virtualization for Server 2008 R2 and newer versions. With this application, each user gets their own IP address from a pool of IP addresses, similar to DHCP.

Authentication server

Your LANCOM R&S®Unified Firewall provides the option of local user administration, which is ideal for smaller organizations that do not use central user administration. The local user database can be used at any time. However, you can also use an external directory service such as the Microsoft Active Directory server or an OpenLDAP server. Both Microsoft Active Directory and OpenLDAP use the Kerberos protocol to verify login information provided by user authentication clients.

Active Directory groups

If you use a Microsoft Active Directory server for authentication, the Active Directory groups are also listed in the object bar under User Authentication. Active Directory groups are an effective way to set up and maintain security settings for individual users. For example, you can add Active Directory users to specific Active Directory groups and use your LANCOM R&S®Unified Firewall to set firewall rules for specific groups.

Parent topic: User Authentication

www.lancom-systems.com

LANCOM Systems GmbH | Adenauerstr. 20/B2 | 52146 Wuerselen | Germany | E-Mail info@lancom.de

LANCOM Logo