c_userid_policy
By default, Deep Edge only allows traffic that is explicitly allowed by policy rules. Users from specified IP addresses are identified using User Identification and authentication methods. Other policies are enforced by source and destination IP address, profiles, service, schedule, and/or application type.
A user identification Agent is a Deep Edge application installed on your network to obtain needed mapping information between IP addresses and network users. The UserID Agent collects user-to-IP address mapping information automatically and provides it to the firewall for use in security policies and logging.
Administrator can configure specific IP addresses or IP address ranges to use specific authentication approaches:
For transparent authentication, Deep Edge retrieves the login log information from the Domain Controller periodically, which makes it possible to map a user to an IP address. If this fails, Deep Edge directly connects to the client machine (the one trying to access a location outside the network) to query for the current logged-in user. (This requires that the LDAP settings account has the appropriate privileges.)
For captive portal, if an IP address is not authenticated yet, and if the current request is a HTTP request, the user is directed to a web page to provide domain account login information.
For user/group information, Deep Edge periodically synchronizes the overall LDAP user tree to a local cache. Subsequent user-group relationship queries are resolved locally.
User identification mapping requires that the firewall obtain the source IP address of the user before the IP address is translated with NAT. If multiple users appear to have the same source address, due to NAT or use of a proxy device, accurate user identification is not possible.
The list of UserID policies uses the Policies > Objects > Addresses entries.
The custom captive portal sign-in can be accessed from the Policies > User Id Settings > Captive Portal page. If the UserID Agent is unable to associate a user with an IP address, a captive portal can take over and authenticate the user. For more information, see About Captive Portal.
See also: