Authentication methods
The authentication method used to validate users and query group information depends on the authentication rule setting:
Active authentication
For active authentication, the FortiProxy unit challenges the client (usually the browser) with the HTTP authentication header. The header tells the browser which authentication method to expect. Then the browser sends back the same request, carrying the user name and credential to the FortiProxy unit again when the browser gets this information from customer input (basic or NTLM authentication) or from a background network request (Kerberos authentication).
For some authentication methods, such as NTLM, there is an additional 407/401 challenge and response to exchange the information.
The “active” in active authentication means that the browser must response the challenge and knows authentication is required. In some cases, the browser needs to display a window to allow the user to enter a user name and password. If the browser or Windows OS does not store the user name and password (sometimes the customer does not enable this option), every challenge will display a window for the user name and password, which could be annoying. Passive authentication resolves this issue.
Passive authentication
Sometimes, when the user has logged on to the system (that is, log on the Windows domain controller) with authentication, the administrator wants the FortiProxy unit to not authenticate again. To avoid re-authentication, the FortiProxy unit is part of the IT environment and integrated with it. This is single-sign on (SSO) or passive authentication.
In the following figure, the Collector agent software is pre-installed on the domain controller. The Collector agent monitors the user logon event and updates this information to the FortiProxy unit, which includes the user name, IP address, group information, and so on.
When the FortiProxy unit enforces the authentication, it tries to resolve the user according to the IP address. The mechanism uses the network address (IP address here) to map the user, which requires a unique IP address per user.
In a Citrix-like environment where multiple users share the same address, a terminal service (TS) agent is the solution. The TS agent is installed on the terminal service server and allocates different port ranges for different users, so the FortiProxy unit can still resolve the user based on the same IP address and a different source port range. The TS agent also provides user logon information to the Collector agent on the network. The FortiProxy unit then uses this information to authenticate the user in security policies. See the following figure.
IP-based authentication
With IP-based authentication, the FortiProxy unit builds a mapping between IP addresses and users, which is what passive authentication uses (the mapping information is from the DC agent or the TS agent). In active authentication, after the user is authenticated successfully, the FortiProxy unit maps the IP address with the user, and additional traffic from the same IP address does not require re-authentication, which can improve throughput performance. The IP-address-to-user mapping can be multiple-to-one, which means a user can be authenticated from multiple IPs.
Session-based authentication
Session-based authentication means that every new connection needs re-authentication. In addition, authentication must use the same connection, which is why form-based authentication cannot use session-based authentication.