Home » D-Link Manuals » Networking » D-Link DFL-200 » Manual Viewer

D-Link DFL-200 Product Manual - Page 33

Users, The DFL-200 RADIUS Support - password

UPC - 790069268823

Add to My Manuals
Save this manual to your list of manuals

Page 33 highlights

Users User Authentication allows an administrator to grant or reject access to specific users from specific IP addresses, based on their user credentials. Before any traffic is allowed to pass through any policies configured with username or groups, the user must first authenticate him/her-self. The DFL-200 can either verify the user against a local database or pass along the user information to an external authentication server, which verifies the user and the given password, and transmits the result back to the firewall. If the authentication is successful, the DFL-200 will remember the source IP address of this user, and any matching policies with usernames or groups configured will be allowed. Specific policies that deal with user authentication can be defined, thus leaving policies that do not require user authentication unaffected. The DFL-200 supports the RADIUS (Remote Authentication Dial In User Service) authentication protocol. This protocol is heavily used in many scenarios where user authentication is required, either by itself or as a front-end to other authentication services. The DFL-200 RADIUS Support The DFL-200 can use RADIUS to verify users against, for example, Active Directory or Unix password-file. It is possible to configure up to two servers, if the first one is down it will try the second IP instead. The DFL-200 can use CHAP or PAP when communicating with the RADIUS server. CHAP (Challenge Handshake Authentication Protocol) does not allow a remote attacker to extract the user password from an intercepted RADIUS packet. However, the password must be stored in plaintext on the RADIUS server. PAP (Password Authentication Protocol) may be defined as the less secure of the two. If a RADIUS packet is intercepted while being transmitted between the firewall and the RADIUS server, given time, the user password can be extracted. The advantage to this is that the password does not have to be stored in plaintext in the RADIUS server. The DFL-200 uses a shared secret when connecting to the RADIUS server. The shared secret enables basic encryption of the user password when the RADIUS-packet is transmitted from the firewall to the RADIUS server. The shared secret is case sensitive, can contain up to 100 characters, and must be typed exactly the same on both the firewall and the RADIUS server.

Section	Page
Features and Benefits	6
Introduction to Firewalls	6
Introduction to Local Area Networking	7
LEDs	8
Physical Connections	8
Package Contents	9
System Requirements	9
Managing D-Link DFL-200	10
Resetting the DFL-200	10
Administration Settings	11
Administrative Access	11
Add ping access to an interface	12
Add Admin access to an interface	12
Add Read-only access to an interface	13
Enable SNMP access to an interface	13
System	14
Interfaces	14
Change IP of the LAN or DMZ interface	14
WAN Interface Settings – Using Static IP	15
WAN Interface Settings – Using DHCP	15
WAN Interface Settings – Using PPPoE	16
WAN Interface Settings – Using PPTP	17
WAN Interface Settings – Using L2TP	18
WAN Interface Settings – Using BigPond	19
MTU Configuration	19
Routing	20
Add a new Static Route	21
Remove a Static Route	21
Logging	22
Enable Logging	23
Enable Audit Logging	23
Enable E-mail alerting for IDS/IDP events	23
Time	24
Changing time zone	25
Using NTP to sync time	25
Setting time and date manually	25
Firewall	26
Policy	26
Policy modes	26
Action Types	26
Source and Destination Filter	26
Service Filter	27
Schedule	27
Intrusion Detection / Prevention	27
Add a new policy	28
Change order of policy	29
Delete policy	29
Configure Intrusion Detection	29
Configure Intrusion Prevention	29
Port mapping / Virtual Servers	30
Add a new mapping	30
	30
Delete mapping	31
Administrative users	32
Change Administrative User Password	32
	32
	32
Users	33
The DFL-200 RADIUS Support	33
Enable User Authentication via HTTP / HTTPS	34
Enable RADIUS Support	34
Add User	35
Change User Password	35
Delete User	36
	36
Schedules	37
Add new recurring schedule	37
Add new one-time schedule	38
Services	39
Adding TCP, UDP or TCP/UDP Service	39
Adding IP Protocol	40
Grouping Services	40
Protocol-independent settings	41
VPN	42
Introduction to IPSec	42
	42
Introduction to PPTP	42
	43
Introduction to L2TP	43
Point-to-Point Protocol	43
Authentication Protocols	44
MPPE, Microsoft Point-To-Point Encryption	44
	44
L2TP/PPTP Clients	45
L2TP/PPTP Servers	46
IPSec VPN between two networks	47
Creating a LAN-to-LAN IPSec VPN Tunnel	47
VPN between client and an internal network	48
	48
Creating a Roaming Users IPSec Tunnel	48
	48
Adding an L2TP/PPTP VPN Client	49
	49
Adding an L2TP/PPTP VPN Server	49
VPN – Advanced Settings	50
Limit MTU	50
IKE Mode	50
IKE DH Group	50
PFS – Perfect Forward Secrecy	50
NAT Traversal	50
Keepalives	50
Proposal Lists	51
IKE Proposal List	51
IPSec Proposal List	51
Certificates	52
Trusting Certificates	52
Local identities	52
Certificates of remote peers	52
Certificate Authorities	53
Identities	53
Content Filtering	54
Edit the URL Global Whitelist	54
Edit the URL Global Blacklist	55
Active content handling	55
Servers	56
DHCP Server Settings	56
Enable DHCP Server	57
Enable DHCP Relay	57
Disable DHCP Server/Relay	57
DNS Relay Settings	58
Enable DNS Relayer	58
Disable DNS Relayer	58
Tools	59
Ping	59
Ping Example	59
Dynamic DNS	60
Add Dynamic DNS Settings	60
Backup	61
Exporting the DFL-200’s Configuration	61
Restoring the DFL-200’s Configuration	61
Restart/Reset	62
Restoring system settings to factory defaults	63
Upgrade	64
Upgrade Firmware	64
Upgrade IDS Signature-database	64
Status	65
System	65
Interfaces	66
VPN	67
Connections	68
DHCP Server	69
How to read the logs	70
	70
USAGE events	70
	70
DROP events	70
CONN events	71
Step by Step Guides	72
LAN-to-LAN VPN using IPSec	73
Settings for Main office	75
LAN-to-LAN VPN using PPTP	77
Settings for Main office	79
LAN-to-LAN VPN using L2TP	83
Settings for Branch office	83
Settings for Main office	86
A more secure LAN-to-LAN VPN solution	90
Settings for Branch office	90
Settings for Main office	93
	93
Windows XP client and PPTP server	94
Settings for the Windows XP client	94
Settings for Main office	101
Windows XP client and L2TP server	104
Settings for the Windows XP client	104
Settings for Main office	106
Intrusion Detection and Prevention	108
Appendixes	111
Appendix A: ICMP Types and Codes	111
Appendix B: Common IP Protocol Numbers	113
Appendix C: Multiple Public IP addresses	114
Appendix D: HTTP Content Filtering	122
Warranty	129
Copyright Statement: No part of this publication or documentation accompanying this Product may be reproduced in any form or by any means or used to make any derivative such as translation, transformation, or adaptation without permission from D-Link Corporation/D-Link Systems, Inc., as stipulated by the United States Copyright Act of 1976. Contents are subject to change without prior notice. Copyright© 2005 by D-Link Corporation/D-Link Systems, Inc. All rights reserved.	131

Match case Limit results 1 per page

Users

User Authentication allows an administrator to grant or reject access to specific users from

specific IP addresses, based on their user credentials.

Before any traffic is allowed to pass through any policies configured with username or

groups, the user must first authenticate him/her-self. The DFL-200 can either verify the user

against a local database or pass along the user information to an external authentication

server, which verifies the user and the given password, and transmits the result back to the

firewall. If the authentication is successful, the DFL-200 will remember the source IP address

of this user, and any matching policies with usernames or groups configured will be allowed.

Specific policies that deal with user authentication can be defined, thus leaving policies that

do not require user authentication unaffected.

The DFL-200 supports the RADIUS (Remote Authentication Dial In User Service)

authentication protocol. This protocol is heavily used in many scenarios where user

authentication is required, either by itself or as a front-end to other authentication services.

The DFL-200 RADIUS Support

The DFL-200 can use RADIUS to verify users against, for example, Active Directory or

Unix password-file. It is possible to configure up to two servers, if the first one is down it will

try the second IP instead.

The DFL-200 can use CHAP or PAP when communicating with the RADIUS server.

CHAP

(Challenge Handshake Authentication Protocol) does not allow a remote attacker to

extract the user password from an intercepted RADIUS packet. However, the password must

be stored in plaintext on the RADIUS server.

PAP

(Password Authentication Protocol) may be

defined as the less secure of the two. If a RADIUS packet is intercepted while being

transmitted between the firewall and the RADIUS server, given time, the user password can

be extracted. The advantage to this is that the password does not have to be stored in

plaintext in the RADIUS server.

The DFL-200 uses a shared secret when connecting to the RADIUS server. The shared

secret enables basic encryption of the user password when the RADIUS-packet is transmitted

from the firewall to the RADIUS server. The shared secret is case sensitive, can contain up to

100 characters, and must be typed exactly the same on both the firewall and the RADIUS

server.