Authentication Profiles

An authentication profile can be used to specify a set of methods and settings for user authorization to be used later in various NGFW subsystems, such as captive portal, VPN, web portal, etc. To create an authentication profile, go to Users and Devices ➜ Auth profiles, click Add, and provide the desired settings:

Name

Description

Name

Profile name.

Description

Profile description.

MFA profile

The multi-factor authentication profile. This needs to be created in advance in the MFA profiles section if multi-factor authentication is to be used. The profile defines the method of one-time password delivery for the second authentication factor. For more details on configuring an MFA profile, see later in the corresponding chapter.

Important! Multi-factor authentication is only possible with authentication methods that allow the user to enter a one-time password, i.e., where the user explicitly enters their credentials in the auth page's web form. Therefore, multi-factor authentication cannot be used with Kerberos or NTLM.

Idle time

This parameter determines the time in seconds after which NGFW will re-classify the user from type Known to type Unknown when there is no activity from the user (no network packets coming from the user's IP address).

Expiration time

This parameter determines the time in seconds after which NGFW will re-classify the user from type Known to type Unknown. When this time elapses, the user will have to re-authenticate at the captive portal.

Maximum auth failures (local users)

The allowed number of failed authentication attempts via the captive portal after which the user account is locked.

Local user lockout time

The time for which the user account is locked on reaching the specified number of failed authentication attempts.

Authentication methods

The user authentication methods added earlier, for example, an Active Directory or RADIUS server. If there are multiple authentication methods, they will be used in the order they are listed in the console.

Built-in authentication mechanisms can also be used, such as:

  • Local user authentication: authentication using a local user database.

  • Policy accept: authentication is not required, but before the user is granted access to the Internet, they must consent to the network usage policy. This authentication type must be used in conjunction with a captive portal profile that uses a captive portal policy auth page.

  • HTTP Basic: authentication using the legacy HTTP Basic method.

  • Kerberos authentication: authentication using the Kerberos protocol.