Authentication Methods
You can use the listed authentication methods. However, some only work with transparent authentication policies and others only work with non-transparent policies but some also work with both.
Method | Description | Policy Type |
---|---|---|
No authentication | Identifies users by their IP address only. All requests are assigned to the Unauthenticated IPs user group. | Both |
Negotiate Kerberos/NTLM |
Negotiates with the device to determine whether it uses Kerberos or NTLM authentication. This is useful for devices that support various authentication methods, such as browsers and software applications. The Smoothwall Filter offers both methods to the device so that it can use the most secure method that it supports. The account specified on the Directories page must have permission to connect the device to the domain. Note: Devices must be connected to the same Active Directory domain for this to work seamlessly. However, devices not connected to the domain can still use this authentication method. Typically done by requesting the user to enter valid domain credentials. |
Non-Transparent |
Negotiate Kerberos/NTLM (Terminal Services compatibility mode) |
Negotiates with the device to determine whether it uses Kerberos or NTLM authentication. This is useful for devices that support various authentication methods, such as browsers and software applications. The Smoothwall Filter offers both methods to the device so that it can use the most secure method that it supports. The account specified on the Directories page must have permission to connect the device to the domain. This method works with network devices using Microsoft Terminal Services (Remote Desktop Connections), where multiple users might connect from the same IP address. However, authentication policies that use this method won't work with user groups when configuring firewall rules, see our help topic, Adding new Smoothwall Firewall rules. Note: Devices must be connected to the same Active Directory domain for this to work seamlessly. However, devices not connected to the domain can still use this authentication method. Typically done by requesting the user to enter valid domain credentials. |
Non-Transparent |
Kerberos | Identifies users by using the Kerberos keytab added to the Smoothwall Filter, see our help topic, Adding Kerberos keytabs. | Non-Transparent |
Kerberos (Terminal Services compatibility mode) | Identifies users by using the Kerberos keytab added to the Smoothwall Filter, see our help topic, Adding Kerberos keytabs. This method is designed to work with network devices using Microsoft Terminal Services (Remote Desktop Connections), where multiple users might be connecting from the same IP address. However, authentication policies that use this method won't work with user groups when configuring firewall rules, see our help topic, Adding new Smoothwall Firewall rules. | Non-Transparent |
Proxy authentication | Identifies users by requesting a username and password from the user’s browser. This authentication method prompts users to enter a username and password when they try to use their web browser. The username and password details are encoded in all future requests made through the browser. | Non-Transparent |
Proxy authentication (Terminal Services compatibility mode) | Identifies users by requesting a username and password from the user’s browser. This method is designed to work with network devices using Microsoft Terminal Services (Remote Desktop Connections), where multiple users might be connecting from the same IP address. However, authentication policies that use this method won't work with user groups when configuring firewall rules, see our help topic, Adding new Smoothwall Firewall rules. | Non-Transparent |
NTLM identification |
Identifies users based on the username used to log on to their Windows-based device. Note: NTLM identification doesn't verify a user's credentials. You should only use it where all devices are secured and are members of a Windows domain. Unsecured devices can spoof their credentials. The Smoothwall Filter supports NTLM on Microsoft operating system software and browsers only. NTLM should not be used with any other browser or platform, even if the platform claims to support NTLM. NTLM should only be used on single domain networks because the protocol doesn't support the transmission of domain information with usernames. |
Non-Transparent |
NTLM identification (Terminal Services compatibility mode) |
Identifies users based on the username used to log on to their Windows-based device. It can be used in conjunction with Microsoft Terminal Services. This method works with network devices using Microsoft Terminal Services (Remote Desktop Connections), where multiple users might be connecting from the same IP address. However, authentication policies that use this method won't work with user groups when configuring firewall rules, see our help topic, Adding new Smoothwall Firewall rules. Note: NTLM identification doesn't verify a user’s credentials. You should only use it where all devices are secured and are members of a Windows domain. Unsecured devices can spoof their credentials. The Smoothwall Filter supports NTLM on Microsoft operating system software and browsers only. NTLM mode should not be used with any other browser or platform, even if the platform claims to support NTLM. NTLM should only be used on single domain networks because the protocol doesn't support the transmission of domain information with usernames. |
Non-Transparent |
NTLM authentication |
Identifies users based on the username used to log on to their Windows-based device and validates their credentials with the domain controller. However, there must be a device account for the Smoothwall Filter in the Active Directory and the account specified on the Directories page must have permission to connect the device to the domain. Note: The Smoothwall Filter supports NTLM on Microsoft operating system software and browsers only. NTLM mode should not be used with any other browser or platform, even if the platform claims to support NTLM. NTLM should only be used on single domain networks because the protocol doesn't support the transmission of domain information with usernames |
Non-Transparent |
NTLM authentication (Terminal Services compatibility mode) |
Identifies users according to the username logged into their Windows-based device and validate their credentials with the domain controller. Can be used in conjunction with Microsoft Terminal Services. However, there must be a device account for the Smoothwall Filter in Active Directory and the account specified on the Directories page must have permission to connect the device to the domain. This method is designed to work with network devices using Microsoft Terminal Services (Remote Desktop Connections), where multiple users might be connecting from the same IP address. However, authentication policies that use this method won't work with user groups when configuring firewall rules, see our help topic, Adding new Smoothwall Firewall rules. Note: The Smoothwall Filter supports NTLM on Microsoft operating system software and browsers only. NTLM mode should not be used with any other browser or platform, even if the platform claims to support NTLM. NTLM should only be used on single domain networks because the protocol doesn't support the transmission of domain information with usernames. |
Non-Transparent |
Redirect users to SSL Login page (with background tab) | Identifies users with the authentication service. If no user is logged in, redirect web requests to the SSL Login page, which checks their username and password. The authentication service supports only one user per device IP address. Using this method, the SSL Login page refreshes itself automatically so that the authentication time-out period doesn't elapse. Because of this, the user must always leave the SSL Login page open. Select this method if a user’s browser can't accept cookies. This method is also suitable if a user’s browser plug-ins or applications need the authenticated session to remain active. SSL login is more secure than Ident or web proxy authentication because the authentication process between the user’s device and the Smoothwall Filter is encrypted. To securely sign out, the user must click Logout on the SSL Login page, see our help topic, Customizing the SSL Login Page. | Both |
Redirect users to SSL Login page (with session cookie) | Identifies users with the authentication service. If no user is logged in, redirect web requests to the SSL Login page, which checks their username and password. The authentication service supports only one user per device IP address. Using this method stores a session cookie on the user’s browser. The cookie removes the need for the user to reauthenticate. This method is useful for users of tablet PCs and other mobile devices, which have problems keeping tabs in browsers open in the background. SSL login is more secure than Ident or web proxy authentication because the authentication process between the user’s device and the Smoothwall Filter is encrypted. To securely sign out, the user must click Logout from the SSL Login page, see our help topic, Customizing the SSL Login Page. | Both |
Redirect users to non-SSL login page (with background tab) |
If a user’s browser can't accept cookies or if a user’s browser plug-ins or applications need the authenticated session to remain active. If the device isn't logged in, web requests are redirected to the non-SSL login page, which checks their username and password. The authentication service supports only one user per device IP address. Using this method, the non-SSL login page automatically refreshes itself so that the authentication time-out period doesn't elapse. Because of this, the user must always leave the non-SSL login page open. To securely sign out, the user must click Logout on the non-SSL login page, see our help topic, Customizing the SSL Login Page. Note: This page isn't secure because it uses HTTP to submit the username and password, but avoids the certificate needed for SSL login. |
Both |
Redirect users to non-SSL login page (with session cookie) |
This method is useful for users of tablets and other mobile devices, which have problems keeping tabs in browsers open in the background. If the device isn't logged in, web requests are redirected to the non-SSL Login page, which checks their username and password. The authentication service supports only one user per device IP address. Using this method, the Smoothwall stores a session cookie in the user’s browser. The cookie removes the need for the user to re-authenticate. To securely sign out, the user must click Logout from the non-SSL Login page, see our help topic, Customizing the SSL Login Page. Note: The page isn't secure because it uses HTTP to submit the username and password, but avoids the certificate needed for SSL login. |
Both |
Core authentication | Identifies users with the authentication service. If the user hasn't authenticated, they're identified by their IP address because authentication service supports only one user by device IP address. The request is assigned to the Unauthenticated IPs group. If an unauthenticated request ends up at a block page, if configured, the user can go to the SSL or non-SSL login page to attempt authentication. This way, you can control what sites anonymous users can access, with authenticated users gaining a higher level of access. | Both |
Ident | Identifies users according to the username returned by an Ident server running on their device. Ident doesn't verify a user’s credentials. It should only be used where all device devices are secured and running an Ident server controlled by the network administrator. Unsecured devices can spoof their credentials. The Smoothwall Filter supports Ident for compatibility with any Ident networks your organization might already be using. Networks supporting Ident authentication need an Ident server application to be installed on all devices that can be queried by Ident systems. The user doesn't need to enter their username because it's automatically supplied by the Ident server application. Once a user’s Ident server has identified the user, the user’s web activities are filtered according to their authentication group membership. Refer to the Ident server’s administrator's guide. | Non-Transparent |
Identification by location | Identifies users by their IP address. Assign a group based on the identification by location policy configured for their location. Identification by location is typically used where certain devices don't support the authentication method used by the rest of the network, see our help topics, Configuring identification by location and, Creating location objects. | Both |
Negotiate Kerberos/NTLM (via redirect) |
Negotiates with the device to identify whether it uses Kerberos or NTLM authentication. This is useful for devices that support various authentication methods, such as browsers and software applications. The Smoothwall Filter offers both methods to the device so that it can use the most secure method that it supports. The account specified on the Directories page must have permission to connect the device to the domain. Note: Devices must be connected to the same Active Directory domain for this to work seamlessly. However, devices not connected to the domain can still use this authentication method. Typically done by requesting the user to enter valid domain credentials. |
Transparent |
Kerberos (via redirect) | Identifies users with the authentication service. If no user is logged in, redirect Web requests to the Kerberos sign-in page, which obtains the username logged into their Windows-based device, see our help topic, Adding Kerberos keytabs. The authentication service supports only one user per device IP address. | Both |
Smart redirect | Identifies the user’s device to redirect them to an NTLM authentication service, or an SSL login service. This redirect is based on the User-Agent data received in the browser’s HTTP header packet. This is a best-guess scenario, based on pattern-matching and compatibility. On the user activity page, smart redirected users show the authentication method used, not Smart redirect, see our help topic, Banning or logging a user out. | Both |
NTLM identification (via redirect) | Identifies users with the authentication service. If no user is logged in, redirect Web requests to the NTLM sign-in page, which obtains the username logged into their Windows-based device. The authentication service supports only one user per device IP address. This option is for backward compatibility with earlier versions of the Smoothwall Filter. | Both |
NTLM authentication (via redirect) | Identifies users with the authentication service. If no user is logged in, redirect Web requests to the NTLM sign-in page, which obtains the username logged into their Windows-based device and validates their credentials with the domain controller. The authentication service supports only one user per device IP address. This option is for backward compatibility with earlier versions of the Smoothwall Filter. | Both |
Global Proxy using NTLM |
Identifies users using the Secure Global Proxy service. Users must be logged in using NTLM credentials. You can implement device authentication using certificates on your devices. For a detailed description of how to configure these, see our help topic, About the global proxy. Note: Even if your Smoothwall Filter has multiple internal interfaces, you can only create one Global Proxy using NTLM authentication policy. Turning on this policy adds the Smoothwall Firewall rules to allow external access to the proxy port automatically. |
Non-Transparent |