Skip to content

Authentication Overview

Zone Access is CyberEdge’s authentication system, designed to control access to the network and the configured network zones. Outlined below are the supported configurations and recommendations when enabling authentication on CyberEdge devices. By default, authentication on the CyberEdge is set to disabled. Before enabling authentication, network administrators should decide on an authentication strategy that best suits their environment. This includes:

  • Determine network zones that require authentication
  • Identify user and groups requiring authentication to access the network and internet
  • Network connections, target networks, IP’s and/or network zones that are to be excluded from authentication
  • Directory service provider configurations details
  • The method of authentication which best suited to your network

An authentication session is established by creating IP address to username mapping in the authentication database. Authentication session attributes include username, IP Address, creation method and the start time of the session. In a HA (High Availability) configuration, authentication sessions are established on the Active node (only) and replicated to the Passive node.

To enable authentication, go to Authentication > Zone Access > Authentication Enabled

Authentication Process

The authentication process is triggered when any packet is received in a network zone where authentication has been enabled and configured. If authentication has not been configured, all packets will be dropped,except those matching a specific authentication exclusion based on source or destination. CyberEdge’s authentication system is designed to authenticate users as quickly and efficiently as possible. As such, the following methodology is used when authenticating a user:

  • Priority is given to any of the automated passthrough authentication methods
  • If a single passthrough authentication method has been configured it will be the priority. If it is unable to obtain valid data and authenticate a user, the captive portal will be used as the fallback method of authentication
  • If more than one method of passthrough authentication has been configured, CyberEdge will process authentication requests asynchronously. The first authentication method to return valid data will be used to create the session. This reduces unnecessary delays in session creation
  • If more than one authentication method returns a valid response, the first response will create the session. All subsequent responses will be discarded unless they contain different user data to the active session. In that case, the active session will be updated with the most recent data. However, if this is occurring, it suggests a problem with your network setup
  • If all automated passthrough methods cannot obtain valid user data and authenticate a user, the captive portal will be used as the fallback method of authentication

Note

  • To view authentication sessions, go to Status > Sessions. You can filter by creation method
  • To view authentication logging, go to Status > Log Viewer > Authentication
  • To view detailed authentication data over time, go to the reporting application and view the authentication data source

Authentication Methods

CyberEdge provides several passthrough methods to successfully authenticate users to the network. These include:

  • RADIUS 802.1x Authentication
  • Captive Portal
  • Active Directory Passthrough Authentication
  • SSH Passthrough Authentication
  • Cisco ISE Authentication (via syslog)
  • FortiGate Authentication

Authentication Sessions

When a user is successfully authenticated by the CyberEdge using any authentication method, a user authentication session is created. Active user authentication sessions can be viewed at Status > Sessions. Active session information includes:

  • User: The username for an active authentication session
  • IP address: The IP address mapped to the username for an active authentication session
  • Creation Method: The authentication method that was used to create the authentication (eg Client-to-Site VPN or RADIUS )
  • Start time: The time the authentication session was created

Managing Sessions

The duration of user authentication sessions is determined by the session timeout value set within the authentication method that initiated the session. These session timeouts are calculated by adding the session timeout value to the timestamp of the last packet received from a particular IP address.

Authentication sessions can be manually ended. To logout a session, navigate to:

  1. Status > Sessions
  2. Using the filter, find the user session you wish to end
  3. Select the user or users and click "Logout selected"
  4. The authentication session will be terminated

Authentication sessions can be manually ended in bulk. To logout bulk sessions, navigate to:

  1. Status > Sessions
  2. Using the filter, find the user sessions you wish to end
  3. Click "Logout selected"
  4. The authentication session will be terminated

Info

  • When necessary, administrators have the option to terminate all authentication sessions by choosing the "Logout all" function. However, in the case of large networks, it is strongly recommended to exercise caution and refrain from executing the "Logout all" action to minimize the potential disruption caused by automated mass re-authentication events
  • Users will be automatically re-authenticated or served the captive portal depending on the CyberEdge authentication configuration

Refresh Session Cache

Starting from Version 0.16.0, the default configuration for the CyberEdge authentication cache, which handles user group reference data, is set to 60 minutes. This enhancement boosts the performance of the authentication system. Although the authentication cache is automatically refreshed at regular intervals, an administrator has the option to manually update the authentication session cache to instantly apply any user group changes. To refresh a user's authentication session cache, navigate to:

  1. Status > Sessions
  2. Using the filter, select the user session you wish to refresh
  3. Click "Update selected"
  4. The cache for the selected session will be immediately updated to reflect group membership changes

Info

  • Refreshing the authentication cache does not terminate active authentication sessions and can be safely performed at any time
  • When created, authentication sessions are uniquely keyed. Therefore, in cases where a user has multiple active authentication sessions that need to be refreshed, it is necessary to select all of the user's sessions for updating
  • Refreshing a session cache is session-specific and does not affect the full authentication cache