An authentication profile can be used to specify a set of methods and settings for user authorization to be used later in various NGFW subsystems, such as captive portal, VPN, web portal, etc. To create an authentication profile, go to Users and Devices ➜ Auth profiles, click Add, and provide the desired settings:
|
Name |
Description |
|---|---|
|
Name |
Profile name. |
|
Description |
Profile description. |
|
MFA profile |
The multi-factor authentication profile. This needs to be created in advance in the MFA profiles section if multi-factor authentication is to be used. The profile defines the method of one-time password delivery for the second authentication factor. For more details on configuring an MFA profile, see later in the corresponding chapter. Important! Multi-factor authentication is only possible with authentication methods that allow the user to enter a one-time password, i.e., where the user explicitly enters their credentials in the auth page's web form. Therefore, multi-factor authentication cannot be used with Kerberos or NTLM. |
|
Idle time |
This parameter determines the time in seconds after which NGFW will re-classify the user from type Known to type Unknown when there is no activity from the user (no network packets coming from the user's IP address). |
|
Expiration time |
This parameter determines the time in seconds after which NGFW will re-classify the user from type Known to type Unknown. When this time elapses, the user will have to re-authenticate at the captive portal. |
|
Maximum auth failures (local users) |
The allowed number of failed authentication attempts via the captive portal after which the user account is locked. |
|
Local user lockout time |
The time for which the user account is locked on reaching the specified number of failed authentication attempts. |
|
Authentication methods |
The user authentication methods added earlier, for example, an Active Directory or RADIUS server. If there are multiple authentication methods, they will be used in the order they are listed in the console. Built-in authentication mechanisms can also be used, such as:
|