Users
User Authentication allows an administrator to grant or reject access to specific users from
specific IP addresses, based on their user credentials.
Before any traffic is allowed to pass through any policies configured with username or
groups, the user must first authenticate him/her-self. The DFL-700 can either verify the user
against a local database or pass along the user information to an external authentication
server, which verifies the user and the given password, and transmits the result back to the
firewall. If the authentication is successful, the DFL-700 will remember the source IP address
of this user, and any matching policies with usernames or groups configured will be allowed.
Specific policies that deal with user authentication can be defined, thus leaving policies that
do not require user authentication unaffected.
The DFL-700 supports the RADIUS (Remote Authentication Dial In User Service)
authentication protocol. This protocol is heavily used in many scenarios where user
authentication is required, either by itself or as a front-end to other authentication services.
The DFL-700 RADIUS Support
The DFL-700 can use RADIUS to verify users against, for example, Active Directory or
Unix password-file. It is possible to configure up to two servers, if the first one is down it will
try the second IP instead.
The DFL-700 can use CHAP or PAP when communicating with the RADIUS server.
CHAP
(Challenge Handshake Authentication Protocol) does not allow a remote attacker to
extract the user password from an intercepted RADIUS packet. However, the password must
be stored in plaintext on the RADIUS server.
PAP
(Password Authentication Protocol) may be
defined as the less secure of the two. If a RADIUS packet is intercepted while being
transmitted between the firewall and the RADIUS server, given time, the user password can
be extracted. The advantage to this is that the password does not have to be stored in
plaintext in the RADIUS server.
The DFL-700 uses a shared secret when connecting to the RADIUS server. The shared
secret enables basic encryption of the user password when the RADIUS-packet is transmitted
from the firewall to the RADIUS server. The shared secret is case sensitive, can contain up to
100 characters, and must be typed exactly the same on both the firewall and the RADIUS
server.
Summary of Contents for DFL-700 - Security Appliance
Page 1: ...D Link DFL 700 Network Security Firewall Manual Building Networks for People 04 18 2005 TM ...
Page 102: ...102 5 Select Connect to the network at my workplace and click Next ...
Page 103: ...6 Select Virtual Private Network connection and click Next ...
Page 104: ...104 7 Name the connection MainOffice and click Next ...
Page 105: ...8 Select Do not dial the initial connection and click Next ...
Page 106: ...106 9 Type the IP address to the server 194 0 2 20 and click Next 10 Click Finish ...