A further option, Disallow, can be used so that a negative rule can be created which says "never
authenticate given these conditions". This option might be used, for instance, to never
authenticate connections coming in on a particular interface. These Disallow rules are usually
best located at the end of the authentication rule set.
•
Agent
The type of traffic being authenticated. This can one of:
•
HTTP or HTTPS - Web connections to be authenticated via a pre-defined or custom web
page (see the detailed HTTP explanation below).
•
PPP - L2TP or PPTP authentication.
•
XAUTH - IKE authentication which is part of IPsec tunnel establishment.
The XAuth Agent
XAuth is an extension to the normal IKE exchange and provides an addition to normal IPsec security
which means that clients accessing a VPN must provide a login username and password.
It should be noted that an interface value is not entered with an XAuth authentication rule since one
single rule with XAuth as the agent will be used for all IPsec tunnels. The only limitation with this
approach is that a single authentication database must be used for all IPsec tunnels.
Connection Timeouts
An Authentication Rule can specify the following timeouts related to a user session:
•
Idle Timeout
How long a connection is idle before being automatically terminated (1800 seconds by default).
•
Session Timeout
The maximum time that a connection can exist (no value is specified by default).
If an authentication server is being used then the option to Use timeouts received from the
authentication server can be enabled to have these values set from the server.
Multiple Logins
An Authentication Rule can specify how multiple logins are handled where more than one user from
different source IP addresses try to login with the same username. The possible options are:
•
Allow multiple logins so that more than one client can use the same username/password
combination.
•
Allow only one login per username.
•
Allow one login per username and logout an existing user with the same name if they have been
idle for a specific length of time when the new login occurs.
8.2.6. Authentication Processing
The list below describes the processing flow through NetDefendOS for username/password
8.2.6. Authentication Processing
Chapter 8. User Authentication
310
Содержание 800 - DFL 800 - Security Appliance
Страница 24: ...1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 24 ...
Страница 69: ...2 6 4 Restore to Factory Defaults Chapter 2 Management and Maintenance 69 ...
Страница 121: ...3 9 DNS Chapter 3 Fundamentals 121 ...
Страница 166: ...interfaces without an overriding IGMP Setting Default 1 000 4 6 4 Advanced IGMP Settings Chapter 4 Routing 166 ...
Страница 181: ...4 7 5 Advanced Settings for Transparent Mode Chapter 4 Routing 181 ...
Страница 192: ...5 5 IP Pools Chapter 5 DHCP Services 192 ...
Страница 282: ...6 7 Blacklisting Hosts and Networks Chapter 6 Security Mechanisms 282 ...
Страница 300: ...mechanism 7 3 7 SAT and FwdFast Rules Chapter 7 Address Translation 300 ...
Страница 301: ...7 3 7 SAT and FwdFast Rules Chapter 7 Address Translation 301 ...
Страница 303: ... Changed on a regular basis such as every three months 8 1 Overview Chapter 8 User Authentication 303 ...
Страница 318: ...8 3 Customizing HTML Pages Chapter 8 User Authentication 318 ...
Страница 322: ...ALG 9 1 5 The TLS Alternative for VPN Chapter 9 VPN 322 ...
Страница 377: ...Management Interface Failure with VPN Chapter 9 VPN 377 ...
Страница 408: ...10 4 6 SLB_SAT Rules Chapter 10 Traffic Management 408 ...
Страница 419: ...11 5 HA Advanced Settings Chapter 11 High Availability 419 ...
Страница 426: ...12 3 5 Limitations Chapter 12 ZoneDefense 426 ...
Страница 449: ...13 9 Miscellaneous Settings Chapter 13 Advanced Settings 449 ...