D-Link DFL-260 Product Manual - Page 370
Setting Up IP Rules, Forcing Users to a Login Realm String, BASICAUTH, Agent, Host Certificate
UPC - 790069296802
View all D-Link DFL-260 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 370 highlights
8.2.8. HTTP Authentication Chapter 8. User Authentication combination. A Realm String can optionally be specified which will appear in the browser's dialog. FORM is recommended over BASICAUTH because in some cases the browser might hold the login data in its cache. • If the Agent is set to HTTPS then the Host Certificate and Root Certificate have to be chosen from a list of certificates already loaded into NetDefendOS. Setting Up IP Rules HTTP authentication cannot operate unless a rule is added to the IP rule set to explicitly allow authentication to take place. If we consider the example of a number of clients on the local network lannet who would like access to the public Internet through the wan interface then the IP rule set would contain the following rules: # Action Src Interface Src Network Dest Interface Dest Network Service 1 Allow lan lannet core lan_ip http-all 2 NAT lan trusted_users wan all-nets http-all 3 NAT lan lannet wan all-nets dns-all The first rule allows the authentication process to take place and assumes the client is trying to access the lan_ip IP address, which is the IP address of the interface on the NetDefend Firewall where the local network connects. The second rule allows normal surfing activity but we cannot just use lannet as the source network since the rule would trigger for any unauthenticated client from that network. Instead, the source network is an administrator defined IP object called trusted_users which is the same network as lannet but has additionally either the Authentication option No Defined Credentials enabled or has an Authentication Group assigned to it (which is the same group as that assigned to the users). The third rule allows DNS lookup of URLs. Forcing Users to a Login Page With this setup, when users that are not authenticated try to surf to any IP except lan_ip they will fall through the rules and their packets will be dropped. To always have these users come to the authentication page we must add a SAT rule and its associated Allow rule. The rule set will now look like this: # Action Src Interface Src Network Dest Interface Dest Network Service 1 Allow lan lannet core lan_ip http-all 2 NAT lan trusted_users wan all-nets http-all 3 NAT lan lannet wan all-nets dns-all 4 SAT lan lannet wan all-nets http-all all-to-one 127.0.0.1 5 Allow lan lannet wan all-nets http-all The SAT rule catches all unauthenticated requests and must be set up with an all-to-one address mapping that directs them to the address 127.0.0.1 which corresponds to core (NetDefendOS itself). 370