D-Link DFL-260E User Manual for DFL-260E - Page 389
External RADIUS Servers, Reasons for Using External Servers, RADIUS Usage with NetDefendOS
View all D-Link DFL-260E manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 389 highlights
8.2.3. External RADIUS Servers Chapter 8. User Authentication NetDefendOS SSH Client Key object. When the user connects, there is an automatic checking of the keys used by the client to verify their identity. Once verified, there is no need for the user to input their username and password. To make use of this feature, the relevant SSH Client Key object or objects must first be defined separately in NetDefendOS. Client keys are found as an object type within Authentication Objects in the Web Interface. Definition requires the uploading of the public key file for the key pair used by the client. 8.2.3. External RADIUS Servers Reasons for Using External Servers In a larger network topology with a larger administration workload, it is often preferable to have a central authentication database on a dedicated server. When there is more than one NetDefend Firewall in the network and thousands of users, maintaining separate authentication databases on each device becomes problematic. Instead, an external authentication server can validate username/password combinations by responding to requests from NetDefendOS. To provide this, NetDefendOS supports the Remote Authentication Dial-in User Service (RADIUS) protocol. RADIUS Usage with NetDefendOS NetDefendOS can act as a RADIUS client, sending user credentials and connection parameter information as a RADIUS message to a designated RADIUS server. The server processes the requests and sends back a RADIUS message to accept or deny them. One or more external servers can be defined in NetDefendOS. RADIUS Security To provide security, a common shared secret is configured on both the RADIUS client and the server. This secret enables encryption of the messages sent from the RADIUS client to the server and is commonly configured as a relatively long text string. The string can contain up to 100 characters and is case sensitive. RADIUS uses PPP to transfer username/password requests between client and RADIUS server, as well as using PPP authentication schemes such as PAP and CHAP. RADIUS messages are sent as UDP messages via UDP port 1812. Support for Groups RADIUS authentication supports the specification of groups for a user. This means that a user can also be specified as being in the administrators or auditors group. The RADIUS Vendor ID When configuring the RADIUS server itself to communicate with NetDefendOS, it is necessary to enter a value for the Vendor ID (vid). This value should be specified as 5089. 8.2.4. External LDAP Servers Lightweight Directory Access Protocol (LDAP) servers can also be used with NetDefendOS as an authentication source. This is implemented by the NetDefend Firewall acting as a client to one or more LDAP servers. Multiple servers can be configured to provide redundancy if any servers become unreachable. 389