2.2. Procedure – Outband authentication with PNS

Purpose: 

PNS implements outband authentication according to the following procedure:

Figure 1. Outband authentication with PNS

Steps: 

1. The client initiates a connection towards the server.

2. PNS determines the service to be accessed based on the IP address of the client and the server. If authentication is required for the connection (an authentication policy is assigned to the service), PNS initiates a connection towards the client using the Authentication Agent protocol.

3. Depending on the authentication methods available (for example, for password-based authentication), the dialog of the authentication agent is displayed on the client machine. The user enters their username that the authentication agent forwards to PNS.

4. The PNS firewall connects to Authentication Server (AS) and retrieves the list of authentication methods enabled for the particular user. Multiple authentication methods can be enabled for a single user (for example, x509, Kerberos, password, and so on). The authorization of the user is also performed in this step, for example, the verification of the LDAP group membership.

5. PNS returns the list of available methods to the client. The user selects a method and provides the information (for example, the password) required for the method.

6. The authentication agent sends the data (for example, the password) to PNS that forwards it to AS.

7. AS performs the authentication and notifies PNS about the result (success/failure).

8. PNS returns the result to the client and — if the authentication was successful, builds a connection towards the server. In case of a failed authentication it terminates the connection to the client.