Configuring an Authentication Profile

Select Configuration > System > Authentication > Profiles to configure an authentication profile based on a connection profile that you have created. You can also create authentication profiles that apply to specific destination sites.

If you want to create an authentication profile that is based on a connection profile, you must also create a profile using the Connection Profile Editor. For more information, see “Adding a Connection Profile.”


Features on the Profiles tab are not available unless Active Directory is enabled. For more information, see “Configuring Active Directory Access.”

If there are multiple authentication profiles configured, the first one in the list that matches is used. Consider an appliance that has two authentication profiles: one that causes an IP range to authenticate using SSO (SSOprofile), and another to exempt specific client applications from authentication (ExemptApps). If SSOprofile is listed before ExemptApps, then ExemptApps will never be used if a system is in that IP range. In this example, you would want to move ExemptApps up in precedence so that it is listed before SSOprofile

  1. Click Add.

    The Authentication Profile Editor is displayed.

  2. Choose a connection type.

    Select Apply to all connections


    Select Apply to only the following connection profiles

    1. Select a connection profile from the drop-down list, or type a portion of the profile name in the text box.

      Important Connection profiles are used to define a set of connection sources that can be referenced in authentication profiles. You must configure a connection profile on the System: Connection Profiles page in order to select it here.
    2. Click Add.

    Repeat these steps to add multiple connection profiles.

  3. Click Next.
  4. Choose which destinations the profile will cover.

    Select Apply to all destinations


    Select Apply to only the following destinations

    1. In the Destination Sites text box, enter the domain, hostname, or IP address of the site. This text box also accepts both path names and wildcards.
    2. Click Add Site.

    Repeat these steps to add multiple sites.

    Note There is an "and" relationship between selected connections and destinations.
  5. Click Next.
  6. Choose an authentication method.

    Select Bypass authentication (Web traffic is filtered according to IP-based policy rules.)


    Select Authenticate using (Depending on the options selected, authentication can be performed for both Active Directory users and guest users.)

    • Single Sign On: Users can authenticate with their stored Active Directory credentials. If the appliance is configured to allow access as a result of authentication failure (see step 7), users can still gain entry to the network as guests.
      • Perform SSO for Mac: When this option is selected, single sign on authentication is performed for Mac OS X systems using Kerberos. In addition, you must first configure your Active Directory server to support Kerberos authentication. For instructions, see “Configuring Active Directory to Support Kerberos for Mac OS X.”
      • Authenticate all requests: Select this option to authenticate all user and client application requests against Active Directory.

        This option only takes effect if the appliance is deployed in “Explicit” mode. For more information about deployment modes, see “Network Deployment.”

        If this check box is cleared, the appliance authenticates requests from supported end user browsers against Active Directory, and uses cached information to authenticate requests from client applications.

    • Captive Portal: Select this option to allow access through a special web page. If enabled, users are automatically redirected to this page if single sign on fails or single sign on is turned off. If the appliance is configured to allow access as a result of authentication failure (see the next step), users can gain entry to the network through a guest link on the portal page.
      • Enforce a timeout: Specify the number of hours and minutes for which the users will remain authenticated. The default is 1 hour, after which the session times out.
  7. Choose an authentication failure method.
    • Block access: Do not permit unauthenticated access. If single sign on fails or it is turned off, a web browser pop-up is displayed, prompting for credentials.
    • Allow access: If single sign on fails, allow access using IP-based policy rules. If the Captive Portal feature is turned on, the login page contains a link to gain access as a guest user.
  8. In the Authentication profile name text box, enter a meaningful name for the profile (for example, "Mobile Devices").
  9. Click Save.

To activate the profile, click the Turn On button for that profile name.

To deactivate the profile, click Turn Off beside the profile name.

To delete a profile, select the check box next to the profile name, and click Delete.

To change the priority of a profile, click the up or down arrow next to the profile name to increase or decrease its ranking. Click Save Order to preserve the re-arranged profile ranking, or click Reset Order to revert to the last saved order.