D-Link DFL-800-AV-12 User Manual - Page 222
Authentication Rules, Interface, Source IP, Authentication Source, Local, RADIUS, Agent, XAUTH
View all D-Link DFL-800-AV-12 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 222 highlights
8.2.4. Authentication Rules Chapter 8. User Authentication NetDefendOS acts as a RADIUS client, sending user credentials and connection parameter information as a RADIUS message to a nominated RADIUS server. The server processes the requests and sends back a RADIUS message to accept or deny them. One or more external servers can be defined in NetDefendOS. RADIUS Security To provide security, a common shared secret is configured on both the RADIUS client and the server. This secret enables encryption of the messages sent from the RADIUS client to the server and is commonly configured as a relatively long text string. The string can contain up to 100 characters and is case sensitive. RADIUS uses PPP to transfer username/password requests between client and RADIUS server, as well as using PPP authentication schemes such as PAP and CHAP. RADIUS messages are sent as UDP messages via UDP port 1812. 8.2.4. Authentication Rules Authentication Rules are set up in a way that is similar to other NetDefendOS security policies, by specifying which traffic is to be subject to the rule. They differ from other policies in that the destination network/interface is not of interest but only the source network/interface. An Authentication Rule has the following parameters: • Interface - The source interface on which the connections to be authenticated will arrive. • Source IP - The source network from which these connections will arrive. • Authentication Source - This specifies that authentication is to be done against a Local database defined within NetDefendOS or by using a RADIUS server (discussed in detail below). • Agent - The type of traffic being authenticated. This can one of: • HTTP or HTTPS - Web connections to be authenticated via a pre-defined or custom web page (see the detailed HTTP explanation below). • PPP - L2TP or PPP tunnel authentication. • XAUTH - IKE authentication which is part of IPsec tunnel establishment. Connection Timeouts An Authentication Rule can specify the following timeouts related to a user session: • Idle Timeout - How long a connection is idle before being automatically terminated (1800 seconds by default). • Session Timeout - The maximum time that a connection can exist (no value is specified by default). If an authentication server is being used then the option to Use timeouts received from the authentication server can be enabled to have these values set from the server. Multiple Logins An Authentication Rule can specify how multiple logins are handled where more than one user from different source IP addresses try to login with the same username. The possible options are: • Allow multiple logins so that more than one client can use the same username/password 222