Enable browser-based user authentication on the Secure SD-WAN Engine

Browser-based user authentication is configured in the properties of the Secure SD-WAN Engine.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Right-click an Secure SD-WAN Engine, then select Edit <element type>.
  2. Browse to Add-Ons > User Authentication.
  3. Select HTTPS to allow authentication using encrypted HTTPS connections and HTTP to allow authentication using plain HTTP connections.
    CAUTION:
    Plain HTTP connections are unsecured and transfer the user name and password in cleartext. Use encrypted HTTPS connections to avoid loss of sensitive information.
  4. (Optional) Change the port settings if you want to use a different port for the authentication interface.
    You must use the same port settings when you define the IPv4 or IPv6 Access rules that allow the authentication connections.
  5. (Optional) Select Always Use HTTPS if the Secure SD-WAN Engine also listens on other ports and you want to redirect the connections to the HTTPS port and enforce the use of HTTPS.
    Example: The Secure SD-WAN Engine listens on port 80, but you want to redirect connections to port 443.
  6. (Recommended) To prevent unauthorized access to resources, select the interfaces through which users can authenticate to the Secure SD-WAN Engine in the Listen on Interfaces section.
  7. From the User Authentication Page drop-down list, select a User Authentication Page element.
    The User Authentication Page element defines the look of the logon page, challenge page, and status page shown to end users when they authenticate.
  8. (Optional) Select Enable Session Handling to enable cookie-based strict session handling.
    If the option is selected, the end user must keep the status page open. If the status page is closed or cannot be refreshed, the connection is terminated.
  9. (Optional) Select Refresh Status Page Every, then define how often the status page is automatically refreshed.
    • The option is automatically selected when you select Enable Session Handling.
    • If the option is selected, the end user must keep the status page open. If the status page is closed or cannot be refreshed, the connection is terminated.
  10. (Optional) Browse to Advanced Settings > Authentication, then configure advanced settings for browser-based user authentication.

Engine Editor > Add-Ons > User Authentication

Use this branch to enable user authentication. You can configure authentication using HTTP connections or encrypted HTTPS connections.

Option Definition
Authentication Time-Out Defines the length of time after which authentication expires and users must re-authenticate.
Authentication Idle Time-Out Defines an idle timeout for user authentication. If there have been no new connections within the specified time limit after the closing of a user's previous connection, the user is removed from the list of authenticated users.
HTTP When selected, allows authentication using plain HTTP connections. Change the Port number if you want to use a different port for the authentication interface. The default port is 80.
HTTPS When selected, allows authentication using encrypted HTTPS connections. Change the Port number if you want to use a different port for the authentication interface. The default port is 443.

This option is required for client certificate authentication.

HTTPS Settings Opens the Browser-Based User Authentication HTTPS Configuration dialog box.
TLS Profile The TLS Profile element that defines TLS settings for HTTPS connections for authentication, and the trusted certificate authority for client certificate authentication. Click Select to select an element.

This option is required for client certificate authentication.

Use Client Certificates for Authentication When selected, the Secure SD-WAN Engine allows users to authenticate using X.509 certificates. Client certificate authentication is supported for browser-based user authentication.
Always Use HTTPS When selected, redirects connections to the HTTPS port and enforces the use of HTTPS if the Secure SD-WAN Engine also listens on other ports.
Listen on Interfaces Restricts the interfaces that users can authenticate through.
  • All — Users can authenticate through all interfaces.
  • Selected — Users can only authenticate through the selected interfaces.
User Authentication Page Select the User Authentication Page element that defines the look of the logon, challenge, re-authentication, and status page shown to end users when they authenticate.
Enable Session Handling

(Optional)

When selected, enables cookie-based strict session handling.
Note: When Enable Session Handling is selected, the Authentication Idle Time-Out option is not available. The Refresh Status Page Every option defines the authentication timeout.
Refresh Status Page Every

(Optional)

Defines how often the status page is automatically refreshed. When Enable Session Handling is selected, defines the authentication timeout.

Engine Editor > Advanced Settings > Authentication

Use this branch to configure advanced settings for user authentication.

Option Definition
Default User Domain The default LDAP domain from which the Secure SD-WAN Engine looks up users.
Note: This setting applies to all user authentication, including browser-based user authentication, VPN clients, and the SSL VPN Portal.
Allow user lookup from known User Domain matching to client certificate email domain or UPN suffix When selected, the Secure SD-WAN Engine looks up the user from the domain specified in the email address or user principal name before looking up the user in the default domain.
Note: This option is ignored when the value of the Client Certificate Identity Field for TLS option is Distinguished Name.
Client Certificate Identity Field for TLS The attribute that is used to look up the user entry from the user domain when using TLS. The Secure SD-WAN Engine only uses values from the Active Directory or LDAP server that is associated with the global default LDAP domain or the engine-specific default user domain.
  • User Principal Name — The User Principal Name attribute on the Attributes tab of the Active Directory Server or LDAP Server element is used.
  • Email — The E-mail attribute on the Attributes tab of the Active Directory Server or LDAP Server element is used.
  • Distinguished Name — The specified value in the distinguished name is used.
    Note: If you select Distinguished Name, you must specify the identity search value on the Client Certificate tab of the Active Directory Server or the LDAP Server Properties dialog box.
Root Password Login Select one of the following options:
  • Login Allowed via SSH and Console: The root password login to an engine is allowed via SSH and console.
    Note: By default, this option is selected if the engine is upgraded.
  • Login Allowed via Console Only: The root password login to an engine by using SSH is not allowed. But root password login by using console is allowed.
    Note: By default, this option is selected when we create a new engine.
  • Root Account Disabled (Super User Privileges through sudo): The root password login to an engine is disabled.
Authentication Method Select an authentication method element from the available options:
  • Local Password: Allows authentication using the local password.
  • [Select…]: Select this option to view the available radius authentication method elements.
    Note: The authentication method options are displayed as per the radius authentication server elements that are configured. For more details on how to create a radius authentication server element, refer to the Define Authentication Method elements for external servers topic.
SSH Passwordless Login Select one of the following options:
  • Allow: The SSH password less login is allowed.
  • Deny: The SSH password less login is denied.
Note: This applies only to administrators replicated on the engine. For more details on administrator account replication, refer to the Add administrator accounts topic.