What is the difference between Authenticate and Force Authenticate policy actions?

book

Article ID: 167300

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Authenticate (default):

The default Authenticate action WILL NOT authenticate the user if during policy evaluation the request also matches a deny rule. The purpose of using the Authenticate action is for efficiency. The logic is that since it has already been determined that the request will be denied, the ProxySG will not go through the additional steps to authenticate the user which saves time and resources on the ProxySG. Proxy administrators who DO NOT need to enforce an internet security policy that requires that they identify users attempting to access blocked sites will choose this option for performance purposes. 
 

Force Authenticate:

The Force Authenticate action WILL authenticate the user even when the request also matches a deny rule. The purpose of using Force Authenticate is to ensure that usernames are logged even when the request will be denied. Proxy administrators who DO need to enforce an internet security policy that requires that they identify users attempting to access blocked sites will use this option for security purposes.

Environment

SGOS 6.2 and later

Resolution

Additional use information:
Keep in mind that even when using the default Authenticate action, if policy has web access layer rules that include domain user/group based conditions and those rules are evaluated before reaching a deny rule with NO domain user/group based condition, authentication will still proceed in order to determine whether or not the said user/group based conditions match. However, if the request matches a deny rule and no rules with domain user/group based conditions are evaluated, this is when using the default Authenticate action will deny the request without proceeding to authenticate the user.

Example #1:
[Web Authentication Layer]
Rule #1: Source=Any, Destination=Any, Action=Authenticate (default)

[Web Access Layer]
Rule #1: Source=Any, Destination=category=suspicious, Action=DENY

Result: A request for a suspicious site WILL NOT BE authenticated because it matched a default Authenticate rule and no domain user/group base rule was evaluated.

Example #2:
[Web Authentication Layer]
Rule #1: Source=Any, Destination=Any, Action=Authenticate (default)

[Web Access Layer]
Rule #1: Source=User1, Destination=category=suspicious, Action=DENY
Rule #2: Source=Any, Destination=category=suspicious, Action=DENY

Result: A request for a suspicious site WILL BE authenticated to determine the username since Web Access Layer rule #1 has a user based condition. 

Example #3:
[Web Authentication Layer]
Rule #1: Source=Any, Destination=Any, Action=Force Authenticate

[Web Access Layer]
Rule #1: Source=Any, Destination=category=suspicious, Action=DENY

Result: A request for a suspicious site WILL BE authenticated because a Force Authenticate action is matched even though there are no domain user/group based rules.

Additional Information

Please note that while the property authenticate.force () has a higher precedence than a regular DENY, it does not override a force_deny() nor force_exception(). In both these causes the user will not be authenticated even though force authenticate was used.