Authentifizierungsdienste / Active Directory

Guten Tag,

der Auth Server bietet zunächst nur eine Möglichkeit der Authentifizierung. Erst wenn eine Authentifizierung tatsächlich stattfindet, könnte ein User angelegt werden. (Nicht mit einer Synchronisation mit dem AD gleichzusetzen.)

Um nun Benutzer anlegen zu lassen gibt es unter den globalen Einstellungen bei der Authentifizierung die Option „Benutzer automatisch anlegen“.

(When this option is activated, the system will automatically create user objects whenever an unknown user successfully authenticates to a backend mechanism.)

Versuch diese mal zu aktivieren und einen Benutzer zu authentifizieren, dann wird die UTM diesen anlegen.

Beste Grüße

Alex

Hi,

danke für die rasche Rückmeldung. Die Einstellung "Benutzer automatisch anlegen" ist bei mir bereits gesetzt.

Aber wie verfahre ich nun, wenn ich z.B. unter "Authentifiziertes Relay" einen User aus dem AD hinzufügen möchte, der der UTM noch nicht bekannt ist? Manuell anlegen?

UTM has several types of users

• Local users with local authentication
• Local users with backend authentication
• Remote or Implicit Users

The general rule is that you must have a local object for it to be used in the UTM configuration.

For web filtering with A.D. or LDAP authentication, all of your Active Directory accounts are immediately enabled as Remote Users.

You will probably want to control what different users can do while using web filtering, and for this you want groups.  UTM has only two types of groups:

• Local Groups with Local Users
• Local Groups with Backend Membership

For Active Directory, I recommend putting users in Active Directory groups, then create UTM groups which reference the A.D. group for backend membership.   This allows you to continue using Implicit Users for web filtering.

You need to upgrade an "Implicit User" to a "Local User with backend authentication" for these situations:

• The user needs OTP, because the OTP information is stored in a UTM user object, not in Active Directory.  I strongly recommend using two-factor authentication for remote access, and UTM OTP allows any user at no extra cost.
• The user needs Client VPN access, where UTM generates a certificate for the user.
• The user needs to be added to a Local Group (one that does not have backend membership).    As an example, the RADIUS authentication method supports remote user authentication but does not support backend group membership.  So people using this method have to create local groups and then populate them using "Local users with backend authentication".

The option to "automatically create local users" will cause UTM to create a local user when an Implicit User signs into the User Portal and UTM determines that a local user object is needed.

You can also create local users manually, with either local or remote authentication.   For example, in a highly controlled environment, you may not want to allow users to access the User Portal until after they have been enrolled for OTP by a system administrator.   The system administrator would create the local user, create the OTP token, configure the user's phone, and only then enable access to the User Portal.

Once a Local User is created, it never goes away.   Of course, if it is remotely authenticated, the account will stop working as soon as the backend account is disabled or deleted.   UTM cleanup will be a manual process.

You can also choose to synchronize UTM with Active Directory, which causes Local User objects to be created before they are needed.  It is only recommended in specific situations.   Read item 6 from this post for more details.  (The other items are also valuable to know.)

https://community.sophos.com/products/unified-threat-management/f/general-discussion/22065/rulz?pi2353=1