D-Link DFL-260-IPS-12 Product Manual - Page 359
External RADIUS Servers, Reasons for Using External Servers, RADIUS Usage with NetDefendOS
View all D-Link DFL-260-IPS-12 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 359 highlights
8.2.3. External RADIUS Servers Chapter 8. User Authentication When the user connects, there is an automatic checking of the keys used by the client to verify their identity. Once verified, there is no need for the user to input their username and password. To make use of this feature, the relevant SSH Client Key object or objects must first be defined separately in NetDefendOS. Client keys are found as an object type within Authentication Objects in the Web Interface. Definition requires the uploading of the public key file for the key pair used by the client. 8.2.3. External RADIUS Servers Reasons for Using External Servers In a larger network topology with a larger administration workload, it is often preferable to have a central authentication database on a dedicated server. When there is more than one NetDefend Firewall in the network and thousands of users, maintaining separate authentication databases on each device becomes problematic. Instead, an external authentication server can validate username/password combinations by responding to requests from NetDefendOS. To provide this, NetDefendOS supports the Remote Authentication Dial-in User Service (RADIUS) protocol. RADIUS Usage with NetDefendOS NetDefendOS can act as a RADIUS client, sending user credentials and connection parameter information as a RADIUS message to a designated RADIUS server. The server processes the requests and sends back a RADIUS message to accept or deny them. One or more external servers can be defined in NetDefendOS. RADIUS Security To provide security, a common shared secret is configured on both the RADIUS client and the server. This secret enables encryption of the messages sent from the RADIUS client to the server and is commonly configured as a relatively long text string. The string can contain up to 100 characters and is case sensitive. RADIUS uses PPP to transfer username/password requests between client and RADIUS server, as well as using PPP authentication schemes such as PAP and CHAP. RADIUS messages are sent as UDP messages via UDP port 1812. Support for Groups RADIUS authentication supports the specification of groups for a user. This means that a user can also be specified as being in the administrators or auditors group. 8.2.4. External LDAP Servers Lightweight Directory Access Protocol (LDAP) servers can also be used with NetDefendOS as an authentication source. This is implemented by the NetDefend Firewall acting as a client to one or more LDAP servers. Multiple servers can be configured to provide redundancy if any servers become unreachable. Setting Up LDAP Authentication There are two steps for setting up user authentication with LDAP servers: • Define one or more user authentication LDAP server objects in NetDefendOS. • Specify one or a list of these LDAP server objects in a user authentication rule. 359