Transparent identification process

Steps

  1. RADIUS Agent listens on port 1645 (the RADIUS authentication port) for authentication requests and detects users logging on to domains, or logging on to the RADIUS server directly.
    Note: If you are using RADIUS authentication in a specific Windows domain, run the RADIUS Agent service as a domain user, or as the default System account on a machine in that domain.
  2. When a remote user logs on to the network, the RADIUS client receives an authentication request and contacts the RADIUS Agent machine via port 1645.
  3. RADIUS Agent extracts the authentication request ID (a unique identifier), user name, and originating IP address and stores the data in a user name-to-IP-address map in local memory, and in the RadiusAgent.bak file.
    Note: If RADIUS Agent receives a new request from an IP address already included in its user map, it replaces the existing pair with the new pair.
  4. After extracting the required information, RADIUS Agent forwards the authentication request to the RADIUS server.
  5. The RADIUS server checks the user name and password entered against the corresponding account in the directory service, and then sends a response to RADIUS Agent indicating the status of the authentication request.
    Note:

    To configure the amount of time RADIUS Agent waits for a response from the RADIUS server before ending a query attempt, modify the Timeout parameter in the RADIUS configuration file (wsradius.ini).

    For more details, see Custom configuration for a RADIUS Agent instance and RADIUS Agent initialization parameters.

  6. RADIUS Agent evaluates the response from the RADIUS server. If the RADIUS message received is an authentication rejection, RADIUS Agent removes the corresponding entry from its user map.
    If the RADIUS packet received is an authentication acceptance, RADIUS Agent copies the corresponding entry to its main user map (a listing of full domain/user name/IP address entries).
  7. RADIUS Agent forwards the authentication response to the RADIUS client.
  8. RADIUS Agent sends user names and IP addresses to Filtering Service each time its user map is updated, using port 30800. Filtering Service records user name/IP address pairs to its own copy of the user map in local memory. No confidential information (such as user passwords) is transmitted.
    Note: If you configure RADIUS Agent to require authentication, the RADIUS Agent service checks the password provided by Filtering Service against the password you specified on the Settings > General > User Identification page in the Web Security module of the Forcepoint Security Manager. See Configuring RADIUS Agent settings in the Forcepoint Security Manager.
  9. Filtering Service queries User Service to get group information for user names in its copy of the user map. User Service queries the directory service for group information corresponding to those users, and sends the information to Filtering Service.
  10. Filtering Service applies policies to logged-on users. For more information about applying policies to directory clients, see the Administrator Help for your web protection solution.