User Identification

Administration > IWSVA Configuration > User Identification | User Identification

User Identification Method

IWSVA supports multiple user identification methods:

IP address (default option)
User/group name authentication (LDAP)
Note: Changing the user identification method can affect any existing policies you might have created, as well as logs and reports.

With IWSVA, if you want to use a user/group-based policy and you have an LDAP server on the network, choose the User/Group Authentication Setting. Contact your LDAP administrator for information about the various LDAP attribute settings.

Select your preferred method of user identification for reports, logs, notification messages, and for creating scan policies.

User/Group Authentication Settings

Basic (single Active Directory server)

With IWSVAs enhanced LDAP functionality, several settings for Microsoft’s Active Directory can automatically be detected that will simplify your configuration. Many use Microsoft Active Directory; this might be the best option for those with less-complex configurations.

Under the Basic view, only the following settings are necessary:

Domain name
Service account
Password

Your LDAP vendor must use Microsoft Active Directory for the auto-detect function to work correctly. IWSVA automatically detects all the available servers for any given domain and then chooses the most appropriate one for your configuration, as well as other important settings.

IWSVA does auto-detection as follows:

Acquires the LDAP server list through a DNS query
Filters out unconnected servers
The fastest GC or DC will be selected as the primary LDAP server when more than one GC or DC is located among LDAP servers.
Domain names will be translated into BDN.
Kerberos information is generated and authenticated.

Advanced (other or multiple LDAP servers)

Use this option to do fine-grained or complex LDAP configurations. Besides Active Directory, other LDAP servers as well as multi-domain forests and redundant LDAP servers are supported in the Advanced (other or multiple LDAP servers) view. You can add multiple domains for User/Group Authentication. IWSVA sequentially queries these domains for user identification and policy enforcement.

To use Advanced (other or multiple LDAP servers) from the web console, click Administration > IWSVA Configuration > User Identification and check Advanced (other or multiple LDAP servers) in User Identification.

You can add, remove, or edit domain configurations from the Advanced (other or multiple LDAP servers) view, and create a list that shows all the configured domains. View the details of any one domain by clicking the domain name or the down-array button.

IWSVA cannot check whether a domain is a sub-domain. If you specify two domains, one is going to be the other’s sub-domain, but IWSVA treats them as independent domains.

To configure the New LDAP Configuration page:

Enable Advanced (other or multiple LDAP servers) and click Add New Domain or any existing LDAP domain name to view the details.
Enter or edit the following:
Domain name
Server type
Service account
Password
LDAP server hostname
Listening port number
LDAP port number
LDAP encryption
Base distinguished name (BDN)
Note: The default encryption method is None. If LDAP server supports LDAPv3 StartTLS extension or LDAP over SSL, select the appropriate encryption method.

For the Authentication Method, select one that meets your expectations, then enter your Kerberos domain or realm, the Kerberos server, and the Kerberos port.
For Authentication High Availability, you can enable additional server relationships for the same domain by selecting Enable additional LDAP servers for the same domain. Set the server relationship (Round Robin or Fail-over) and enter the names of any additional backup LDAP servers.

Configuring one domain is a considerable undertaking. To complete a simple configuration, use the auto-detect button provided in the Basic view. It automatically fills the form. You can modify the domain configuration base on the output of an auto-detected configuration. This button is only available for Microsoft Active Directory users in the Basic view.

To some extent, the authentication method settings depend on the LDAP vendor. Some authentication methods are only valid for certain vendors. The following table shows their relationship.

Sync with LDAP Servers

Pressing this button initiates a manual synchronization with the LDAP server to synchronize the user group information. This icon appears after successfully adding a new domain.

LDAP Vender Authentication Method Relationships

	Active Directory	OpenLDAP	Sun iPlanet Directory Server	Novell eDirectory
Simple	No	Yes	Yes	Yes
Kerberos	Yes	Yes	No	Yes
Digest - MD5	No	Yes	Yes	Yes

IWSVA supports high availability for LDAP authentication. You can specify one backup LDAP server that shares the same configuration with the primary one. However, two high availability modes are supported:

Round Robin: By default, IWSVA alternately authenticates users with all LDAP servers.
Fail-over: When the primary server is down, IWSVA refers to other servers to authenticate users.
Each domain can configure only one BDN and LDAP server type, and the BDN should be unique from other domains.

When multiple domains are supported, you can use any account that belongs to any domain to log in. At first, IWSVA checks the domain names, then authenticates users for the matched domain name server. If no domain name has been input, it will use the first one as the default login domain name.

After your configuration is ready, click Save. Click Cancel to start over. After successfully saving your configuration, return to the LDAP server list.

The following conditions cannot be saved; you will be prompted with a corresponding error message:

No LDAP servers present
No BDN listed
Missing administrator account or password
Missing authentication information when choosing Advanced Authentication Mode
Failing to pass the LDAP connection test

Global Authentication Cache Settings

Fixed TTL - The expiration time for each record in the Client IP to User ID cache is different. When a record's life reaches its expiration time, this record is purged. The expiration time for a record is calculated as follows:

Expiration time = Record generation time + Fixed TTL

Last active TTL - When adding a record into the Client IP to User ID cache, this record has a pre-configured expiration interval, for example, 360 seconds. Before reaching the expiration time, if this record is hit, the expiration interval for this record is refreshed and becomes 360 seconds again. If a record is not hit during the expiration interval, this record is purged.

By default, Last Active TTL is enabled.

Standard Authentication Method

Standard Authentication can be configured by selecting Standard Authentication (provided by the operating system or browser) option on the Administration > IWSVA Configuration > User Identification screen from the Web console.

In Standard Authentication, authentication is implemented through the authentication features provided by OS or browser.

When the client participates in the domain accesses to Web through the browser supporting NTLM authentication, no pop-up window appears to request authentication since the authentication information is automatically sent from the browser.

If the client does not participate the domain, the browser does not support NTLM authentication, or automatic authentication is disabled by the browser, pop-up will appear to request authentication since automatic authentication is not implemented.

Captive Portal

IWSVA uses two authentication methods:

Standard Authentication (using the operating system or browser)
Captive Portal (customized authentication page delivered by IWSVA to the browser)

To configure Captive Portal, select the Captive Portal (Custom Authentication Page delivered by IWSVA to browser) option on the Administration > IWSVA Configuration > User Identification screen from the Web console.

If the Captive Portal is configured, custom authentication page appears, and authentication will be requested when the client participates in the domain accesses to Web for the first time (automatic authentication will not be implemented transparently).

The login interface screen can be customized. The screen appears when users access the restricted network for the first time or users are not recognized by IWSVA.

Advanced Mode

IWSVA also provides an Advanced mode to create a customized Captive Portal - by writing your own HTML. However, at the very least the following Java Script must first be inserted into the customized Captive Portal:

<SCRIPT LANGUAGE="JavaScript">function accesspolicy(){var str1 = window.location.href;//alert(str1);var s=str1.indexOf("?forward=");//alert(s);var d=str1.indexOf("&IP");//alert(d);var uri=str1.substring(s+9,d)+"/$$$GUEST_POLICY$$$";//alert(uri);return uri;}</SCRIPT><form name="loginForm" method="POST" action="com.trend.iwss.gui.servlet.captiveportal"><tr><td>User name: </td><td><input name="username" type="text" class="button" size="24" /></td><td> </td></tr><tr><td>Password:</td><td><input name="password" type="password" class="button" size="24" /></td><td><input name="Submit" type="submit"></td></tr></form><div class="accessmsg" [Display GuestPolicy Message...] >If you are a guest, please select the Guest Access option to access the Internet</div><input name="Access" type="button" onclick="window.location.href=accesspolicy();" [Display GuestPolicy...]/>

This Java Script is required for the Authentication Form, the Guest Access button, and the Event Handler to appear. Without this script, users will be unable to pass the authentication.

Allow Guest Login

You can enable guest access when the Allow Guest Login box is checked. When enabled, an additional button labeled Guest appears. Guests can access the Internet by selecting this button, however, their behavior is under the control of the guest policy. The guest policy automatically appears when guest access is enabled in the policy list. Otherwise, it is invisible.

To allow guest access:

In the Authentication Method section, select the Captive Portal (Custom Authentication Page delivered by IWSVA to browser) option.
Click the Allow Guest Login checkbox.
You can predesign a ”look” for the Captive Portal page and save it as HTML. Match the look and feel of your own corporate branding through the use of colors, logos, and text. Copy and paste your customized HTML code into the empty box. Use the <%cred%> tag to display the login credentials and guest access buttons.
Click Preview Login Screen to view your results.
Click Save to preserve your settings.

Cookie Mode

Cookie mode is used for user identification in NAT and terminal server environments. To use Cookie Mode, ensure that Adobe Flash Player has been installed on the client machine and that browser cookies are enabled.

Cookie Mode is only available when user/group authentication is enabled and Captive Portal is selected.

Use the ”Stay signed in” option on the Captive Portal login page to enable cookie ”lifetime” for up to one year. If the ”Stay signed in” option is not selected, cookie ”lifetime” is one day.

None

(Not recommended) Logged events and reports will be anonymous; URL Filtering and other policies are created based on IP addresses.