Supporting a Zone Labs Integrity Server
Using certificates
If user digital certificates are configured, the security appliance first validates the certificate. It does not,
however, use any of the DNs from the certificates as a username for the authentication.
If both authentication and authorization are enabled, the security appliance uses the user login
credentials for both user authentication and authorization.
•
•
If authentication is disabled and authorization is enabled, the security appliance uses the primary DN
field for authorization.
•
•
If the primary DN field is not present in the certificate, the security appliance uses the secondary DN
Note
field value as the username for the authorization request.
For example, consider a user certificate that contains the following Subject DN fields and values:
Cn=anyuser,OU=sales;O=XYZCorporation;L=boston;S=mass;C=us;ea=anyuser@example.com
If the Primary DN = EA (E-mail Address) and the Secondary DN = CN (Common Name), then the
username used in the authorization request would be anyuser@example.com.
Supporting a Zone Labs Integrity Server
This section introduces the Zone Labs Integrity Server, also called Check Point Integrity Server, and
presents an example procedure for configuring the security appliance to support the Zone Labs Integrity
Server. The Integrity server is a central management station for configuring and enforcing security
policies on remote PCs. If a remote PC does not conform to the security policy dictated by the Integrity
Server, it will not be granted access to the private network protected by the Integrity Server and security
appliance.
This section includes the following topics:
•
•
Cisco Security Appliance Command Line Configuration Guide
13-16
Authentication
Enabled by authentication server group setting
–
Uses the username and password as credentials
–
Authorization
Enabled by authorization server group setting
–
–
Uses the username as a credential
Authentication
–
DISABLED (set to None) by authentication server group setting
No credentials used
–
Authorization
Enabled by authorization server group setting
–
Uses the username value of the certificate primary DN field as a credential
–
Overview of Integrity Server and Security Appliance Interaction, page 13-17
Configuring Integrity Server Support, page 13-17
Chapter 13
Configuring AAA Servers and the Local Database
.
OL-10088-01