Internet Access

Mangement
Authentication

Sangfor Technologies
www.sangfor.com
 Authentication Introduction
The users managed by the IAM device are end users who access the Internet
through the IAM device; therefore, the users are the basic units to be allocated with
network access privileges. The administrators can manage users and their
privileges through the [Group/ User] page.
SANGFOR IAM Authentication Types ：

1.Authentication Based on IP, MAC/Hostname

2.Username/Password Authentication
3.SSO Authentication
4.DKey Authentication
5.WeChat Authentication
6.SMS Authentication
 Authentication Introduction
1. None/SSO

This authentication identifies users according to the source IP address,

MAC address or computer name. The advantage of this authentication is
that the authentication dialogue will not appear to require users to type u
sername and password, so that the users will not perceive the existence
of the IAM device. The disadvantage is that this authentication cannot id
entify the specific name of the user and thus cannot locate the specific u
ser of network behaviors, especially in an environment where addresses
are dynamically allocated. In this situation, policies will fail to implement
accurate control on the user.
Authentication Introduction
2. Username/Password Authentication
•The username/password authentication will redirect the browser to the authentication page
and require user to enter correct username and password before they can connect to the Int
ernet. There are two types of password authentication: password authenticated on local co
mputer and that on external server.
•After the user enters username and password, the device will first check if the username an
d password are correct according to the local user list. If it cannot find the user in the local u
ser list and external authentication server has been configured, the device will try to check t
he username and password on the external server.
• You can manually create users on the IAM ,or you can directly use the external server acc
ount and password (SANGFOR IAM support for LDAP, RADIUS, POP3, database, H3C CA
MS, H3C IMC and other external authentication).
 Authentication Introduction
3. SSO
SSO indicates that if the network already deploys the authentication system, the IAM device will combine th
e authentication system to identify the user corresponding to a certain IP address, so that when the user co
nnects to the Internet, it will not be required to type the username/password again.

At present, the following types of SSO are supported :

- Active Directory Domain SSO

- Proxy SSO

- POP3 SSO

- Web SSO

- IWA SSO

- Radius SSO

- PPPoE SSO

- SANGFOR Appliance SSO

Authentication Introduction
4. DKey Authentication
• The users adopting DKey authentication need submit the user information saved in D
Key to IAM device, which will then identify the user according to the DKey authenticati
on information. Among the four authentications, the DKey authentication has the high
est priority. If you insert the DKey into a computer that is already authenticated using
other method, the identity of the computer will be changed into DKey user with the cor
responding privileges.
• There are two types of DKey: One is authentication DKey; the other is audit-free DKe
y. The audit-free DKey has not only the authentication function, but also the privilege t
o be exempt from being audited by the IAM device, which means the IAM device will
not monitor nor record the behaviors of the audit-free DKey user.
Authentication Introduction

Green: For DKEY authentication

Purple: For Audit-free authentication
Brown: For datacenter query
Authentication Introduction
5. WeChat Authentication
• WeChat authentication is having 4 different types: Single-click (hyperlink), Single-click
(third-party authentication), QR code scan (WeChat favourite), & QR code scan
(developer mode).
• In order to use this authentication method, the user must install “WeChat”, in their
mobile device.
• This authentication method will collect user’s information for marketing purposes.
Authentication Introduction
5. SMS Authentication
• For some organisations, required to use genuine identity to authenticate online users
within their environment. Besides, their marketing team would like to keep track of
these users and their information for marketing purposes.
• When using SMS authentication, guest users will required to fill-in their hand-phone
numbers and obtain “code” generated by our IAM sending via SMS through Courier
Service provider.
• Guest will required to key-in the “code” received in order to go online.
 User Authentication map
Manage and separate user effectively using organisational structure.

User authentication

Unauthorised user, limited Authorised user, redirection

Local External Invisible New authentication

 IP/MAC  IP/MAC
 LDAP Auto Group
Password  POP3/Proxy/AD
 RADIUS Auto authenticate
USB-Key SSO
 POP3 Auto privilege
SMS WeChat
•Web SSO
•PPPOE SSO
•Database
•Third-party SSO
 Scenario

A company has office area and publi

Firewall
c area, required office (192.168.1.0/2
4) users can not modify the IP and M
AC addresses, public access areas
(192.168.2.0/24) need Username/Pa
Core SW ssword authentication number and p
assword , in addition do not audit the
access Internet records of manager.

Manager Office Public

 Scenario
According to customer demand, we
Firewall can deploy IAM between the
firewall and the core switches:
1, office users using IP / MAC bindi
ng authentication
2, public use using password
Core SW
authentication
3, the manager use audit-free KEY

Manager Office Public

 Configure steps
1. Add Authentication Policy
• The IAM device will determine the authentication of user according to the IP or M
AC address configured

2. Manually/automatically add new users

• New users can be edited mannually , you can define user specific authentication
information include username/password 、 enable DKEY and IP / MAC binding.
• By configure authentication policy to add users automatically 。

DKEY authentication has the highest priority and do not need enable in authenticatio
n policy.
None 、 Username/Password 、 SSO need to enable in authentication policy.
 Step1 （ IP/MAC binding ）
1. Add a group named "OFFICE'
2. Configure authentication policy
Addtion ： if there are layer 3 core switch enviroment ， we must enable “MAC
Filtering Across L3 Switch".
Step2 （ Username/Password ）
1. Add a group name "PUBLIC" and a authentication policy
2. Add a new user
 Step3 （ DKEY Authenticatio
1Add a DKEY user.
n）
Password Policy
 Password Policy

Indicates whether to enable password policy to enhance the security of the user
password. After enabling it, you can then check relevant options to impose requirements
on the password, such as:
•Password cannot be the same as username.

•New password cannot be the same as the old one.

•Password length cannot be shorter than certain characters.

•Password must contain letters, numeric digits and special characters.

Password Policy
 Password Policy
Cilent change password ：
Force client to Change passwor
d after the initial authentication
 Background: User import or adding a large number but the initi
al password is the same, it's dangerous.
 Solution ： Force client to change password after the initial aut
hentication.
 Attention ：

• 1. Only take effect to local password authentication device user

s.
• 2. After the initial authentication the page will redirect to the mo
dify page, otherwise you can not access Internet 。
Change password after the
initial authentication
Change password after the
initial authentication
 Change password after the initial
authentication

• When IAM enable "Change password after the initial authentication",after the ini

tial authentication the page will redirect to the location as below shown:

Attentions:
(1) This page is a static
page, do not automatically
jump to previously visited
.

(2) Modify the password

may take effect after a 30-
second delay
User Logout
 How to logout a authenticate
d user
Web console ：
1. Force to Logout （ DKey users, temporary users and users that need not be
authenticated cannot be logged out! ）
 How to logout a authenticate
d user
2. Auto logout the user who causes no flow in specified period （ wor
ked for all kind of authenticated user ）
How to logout a authenticate
d user
3. Display Logout page after successful password authentication
（ only worked for Username/Password ）
How to logout a authenticate
d user
4. After user passes the authentication, page will be redirected to
"Logout page',and click the logout button.
 How to logout a authenticate
d user
5. Client logout manually by entering http://IAMIP to open the logout
page and click the logout button (only worked for Username/Password o
r SSO authentication users)
 Practice
A hotel has a Layer 2 network (192.168.1.0/24), each computer is assi
gned a fixed IP address, requiring staff can only use their own comput
er to surf the Internet in order to make sure the network behavior can
be traced to people. Customer room area users should use username
/password authentication.

Advice ：
• Employee's computer use IP/MAC binding
。
• Others use Username/Password 。
 FAQ

1.What Authentication mode can IAM suport ？

2.Why we should enable SNMP when customer want to bind ip/mac over la
yer 3 core switch ？

3. User password policy will not take effect in what conditions?

www.sangfor.com

Sangfor Technologies (Headquarters)

Block A1, Nanshan iPark, No.1001
Xueyuan Road, Nanshan District,
Shenzhen, Guangdong Province,
P. R. China (518055)