Creating security policies
RADIUS SSO uses regular identity-based security policies. The RSSO user group you specify determines which users are permitted to use the policy. You can create multiple authentication rules so that various user groups can have different UTM features enabled, different permitted services, schedules, and so on.
To create a security policy for RSSO - web-based manager
1. Go to Policy > Policy > Policy.
2. Select Create New.
3. Enter the following information.
Policy Type | Firewall |
Policy Subtype | User Identity |
Incoming Interface Source Address Outgoing Interface | as needed |
Enable NAT | Selected |
4. In Configure Authentication Rules, select Create New and enter:
Destination Address | all |
Group(s) | Select the user groups you created for RSSO. See “Defining local user groups for RADIUS SSO”. |
User(s) | not used |
Schedule Service | as needed |
Action | ACCEPT |
UTM Security Profiles | Select UTM security profiles appropriate for the user group. |
5. Select OK.
6. Repeat steps
4 and
5 for each user group that is allowed to use this security policy. Schedule, Service, and UTM profiles can be different for each group.
7. Select OK.
To ensure an RSSO-related policy is matched first, the policy should be placed higher in the security policy list than more general policies for the same interfaces.
To create a security policy for RSSO - CLI
In this example, an internal network to Internet policy enables web access for members of a student group and activates the appropriate UTM profiles.
config firewall policy
edit 0
set srcintf internal
set dstintf wan1
set srcaddr all
set action accept
set rsso enable
set identity-based enable
set nat enable
config identity-based-policy
edit 1
set schedule always
set utm-status enable
set groups "RSSO-student"
set dstaddr "all"
set service HTTP HTTPS
set av-profile students
set webfilter-profile students
set spamfilter-profile students
set dlp-sensor default
set ips-sensor default
set application-list students
set profile-protocol-options "default"
end
end