User Authentication and Authorization

The platform supports different user authentication mechanisms, such as Captive portal, Kerberos, NTLM, etc. The user accounts can originate from a variety of sources, including LDAP, Active Directory, FreeIPA, TACACS+, RADIUS, and SAML IDP. SAML IDP, Kerberos, and NTLM allow for transparent (i.e., without requesting a username and password) authentication of Active Directory domain users on the UserGate device. The Captive portal also supports user authentication with certificates that use public key infrastructure (PKI).

Thanks to the UserID feature, transparent user authentication is possible on selected UserGate devices. Active Directory log and Syslog are used as the authentication data source for that purpose. With Active Directory, a UserID agent makes requests to AD servers using WMI protocol, whereas with Syslog, the agent listens to the Syslog port and collects information sent in by Syslog servers. Then the information is filtered by user login/logout events. Based on the obtained data, it searches for the user in the user catalogs of the log source. If the user is found, the user's authorization data is sent to all UserGate NGFW devices specified in the Source redistribution profile, and the user is logged in to NGFW.

The administrator can configure security rules, link bandwidth, firewall rules, as well as content filtering and application control rules for individual users, user groups, or all known or unknown users. In addition, UserGate supports the application of security rules to terminal service users via dedicated Terminal Services Agents and the use of an authorization agent for Windows platforms.

For better user account security, multi-factor authentication with TOTP (Time-based One Time Password Algorithm) tokens, SMS, or email should be used.