User and Group Management188 Firebox X Edge e-SeriesUser licensing when authentication is not requiredA user license is not used when: Traffic is passed between the trusted and optional networks. Traffic is passed from a computer on the trusted or optional network to a computer on the other endof a Branch Office VPN. Incoming traffic of any kind is passed to the Edge protected network.Traffic is passed from a computer to the Edge itself when no user authentication is required for access to theexternal network.About user authenticationUser authentication is the process of finding whether a user is who he or she is declared to be. On the Firebox,the use of passwords allows a user name to be associated with an IP address. This helps the Fireboxadministrator to monitor connections through the Firebox. With authentication, users can log in to thenetwork from any computer, but get access to only the network ports and protocols for which they areauthorized. All the connections that start from that IP address also transmit the session name while the user isauthenticated.You can configure the Edge as a local authentication server, or use your existing Active Directory or LDAPauthentication server, or an existing RADIUS authentication server. When you use third-party authentication,account privileges for users that authenticate to the third-party authentication servers are based on groupmembership.WatchGuard’s user authentication feature allows a user name to be associated with a specific IP address tohelp you authenticate and track a user’s connections through the Firebox. With the Firebox, the fundamentalquestion that is asked and answered with each connection is Should I allow traffic from source X to go todestination Y?" The WatchGuard authentication feature depends on the relationship between the personusing a computer and the IP address of that computer to not change during the period of time that the personis authenticated to the Firebox.In most environments, the relationship between an IP address and the person that uses it is stable enough tobe used to authenticate that person’s traffic. Environments in which the association between the person andan IP address is not consistent, such as a kiosk or terminal server-centric networks, are usually not goodcandidates for the successful use of our user authentication feature. WatchGuard currently provides supportfor Authentication, Accounting, and Access control (AAA) in our firewall products, based on a stableassociation between IP address and person.We also have support for authentication to an Active Directory domain via Single Sign-On and support otherfrequently used authentication servers. In addition, we support inactivity settings and session time limits.These controls restrict the amount of time an IP address is allowed to pass traffic through the Firebox beforethe users must supply their passwords again.If you control SSO access with a white list, manage inactivity timeouts, session timeouts, and who is allowedto authenticate, you can significantly improve your control of authentication, accounting, and access control.