authentication rule. This will be either a local NetDefendOS database, an external RADIUS
database server or an external LDAP server.
6.
NetDefendOS then allows further traffic through this connection as long as authentication was
successful and the service requested is allowed by a rule in the IP rule set. That rule's Source
Network object has either the No Defined Credentials option enabled or alternatively it is
associated with a group and the user is also a member of that group.
7.
If a timeout restriction is specified in the authentication rule then the authenticated user will be
automatically logged out after that length of time without activity.
Any packets from an IP address that fails authentication are discarded.
8.2.7. A Group Usage Example
To illustrate authentication group usage, suppose that there are a set of users which will login from
the network 192.168.1.0/24 which is connected to the lan interface. The requirement is to restrict
access to a network called important_net on the int interface to just one group of trusted users, while
the other less-trusted users can only access another network called regular_net on the dmz interface.
Assuming that we are using the internal database of users as the authentication source, we add the
users to this database with appropriate username/password pairs and a specific Group string. One
set of users would be assigned to the group with the name trusted and the other to the group with the
name untrusted.
We now define two IP objects for the same network 192.168.1.0/24. One IP object is called
untrusted_net and has its Group parameter set to the string untrusted. The other IP object is called
trusted_net and its Group parameter is set to the string trusted.
The final step is to set up the rules in the IP rule set as shown below:
#
Action
Src Interface
Src Network
Dest Interface Dest Network
Service
1
Allow
lan
trusted_net
int
important_net
all_services
2
Allow
lan
untrusted_net
dmz
regular_net
all_services
If we wanted to allow the trusted group users to also be able to access the regular network we could
add a third rule to permit this:
#
Action
Src Interface
Src Network
Dest Interface Dest Network
Service
1
Allow
lan
trusted_net
int
important_net
all_services
2
Allow
lan
trusted_net
dmz
regular_net
all_services
3
Allow
int
untrusted_net
dmz
regular_net
all_services
8.2.8. HTTP Authentication
Where users are communicating through a web browser using the HTTP or HTTPS protocol then
authentication is done by NetDefendOS presenting the user with HTML pages to retrieve required
user information. This is sometimes also referred to as WebAuth and the setup requires further
considerations.
The Management Web Interface Port Must Be Changed
HTTP authentication will collide with the Web Interface's remote management service which also
uses TCP port 80 by default. To avoid this problem, the Web Interface port number must be
changed before configuring authentication.
Do this by going to Remote Management > Advanced settings in the Web Interface and changing
8.2.7. A Group Usage Example
Chapter 8. User Authentication
405
Summary of Contents for NetDefend DFL-1660
Page 28: ...1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 28 ...
Page 88: ...2 6 3 Restore to Factory Defaults Chapter 2 Management and Maintenance 88 ...
Page 166: ...3 10 DNS Chapter 3 Fundamentals 166 ...
Page 254: ...4 7 5 Advanced Settings for Transparent Mode Chapter 4 Routing 254 ...
Page 268: ...5 4 IP Pools Chapter 5 DHCP Services 268 ...
Page 368: ...6 7 Blacklisting Hosts and Networks Chapter 6 Security Mechanisms 368 ...
Page 390: ...7 4 7 SAT and FwdFast Rules Chapter 7 Address Translation 390 ...
Page 414: ...8 3 Customizing Authentication HTML Pages Chapter 8 User Authentication 414 ...
Page 490: ...9 8 6 Specific Symptoms Chapter 9 VPN 490 ...
Page 528: ...10 4 6 Setting Up SLB_SAT Rules Chapter 10 Traffic Management 528 ...
Page 544: ...11 7 HA Advanced Settings Chapter 11 High Availability 544 ...
Page 551: ...12 3 5 Limitations Chapter 12 ZoneDefense 551 ...
Page 574: ...Default 512 13 9 Miscellaneous Settings Chapter 13 Advanced Settings 574 ...
Page 575: ...13 9 Miscellaneous Settings Chapter 13 Advanced Settings 575 ...