combination. A Realm String can optionally be specified which will appear in the
browser's dialog.
FORM is recommended over BASICAUTH because in some cases the browser might hold the
login data in its cache.
•
If the Agent is set to HTTPS then the Host Certificate and Root Certificate have to be chosen
from a list of certificates already loaded into NetDefendOS.
Setting Up IP Rules
HTTP authentication cannot operate unless a rule is added to the IP rule set to explicitly allow
authentication to take place. If we consider the example of a number of clients on the local network
lannet who would like access to the public Internet through the wan interface then the IP rule set
would contain the following rules:
#
Action
Src Interface
Src Network
Dest Interface Dest Network
Service
1
Allow
lan
lannet
core
lan_ip
http-all
2
NAT
lan
trusted_users
wan
all-nets
http-all
3
NAT
lan
lannet
wan
all-nets
dns-all
The first rule allows the authentication process to take place and assumes the client is trying to
access the lan_ip IP address, which is the IP address of the interface on the NetDefend Firewall
where the local network connects.
The second rule allows normal surfing activity but we cannot just use lannet as the source network
since the rule would trigger for any unauthenticated client from that network. Instead, the source
network is an administrator defined IP object called trusted_users which is the same network as
lannet but has additionally either the Authentication option No Defined Credentials enabled or has
an Authentication Group assigned to it (which is the same group as that assigned to the users).
The third rule allows DNS lookup of URLs.
Forcing Users to a Login Page
With this setup, when users that are not authenticated try to surf to any IP except lan_ip they will
fall through the rules and their packets will be dropped. To always have these users come to the
authentication page we must add a SAT rule and its associated Allow rule. The rule set will now look
like this:
#
Action
Src Interface
Src Network
Dest Interface Dest Network
Service
1
Allow
lan
lannet
core
lan_ip
http-all
2
NAT
lan
trusted_users
wan
all-nets
http-all
3
NAT
lan
lannet
wan
all-nets
dns-all
4
SAT
lan
lannet
wan
all-nets
all-to-one
127.0.0.1
http-all
5
Allow
lan
lannet
wan
all-nets
http-all
The SAT rule catches all unauthenticated requests and must be set up with an all-to-one address
mapping that directs them to the address 127.0.0.1 which corresponds to core (NetDefendOS itself).
8.2.8. HTTP Authentication
Chapter 8. User Authentication
376
Содержание DFL-1600 - Security Appliance
Страница 27: ...1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 27 ...
Страница 79: ...2 7 3 Restore to Factory Defaults Chapter 2 Management and Maintenance 79 ...
Страница 146: ...3 9 DNS Chapter 3 Fundamentals 146 ...
Страница 227: ...4 7 5 Advanced Settings for Transparent Mode Chapter 4 Routing 227 ...
Страница 241: ...5 4 IP Pools Chapter 5 DHCP Services 241 ...
Страница 339: ...6 7 Blacklisting Hosts and Networks Chapter 6 Security Mechanisms 339 ...
Страница 360: ...7 4 7 SAT and FwdFast Rules Chapter 7 Address Translation 360 ...
Страница 382: ...8 3 Customizing HTML Pages Chapter 8 User Authentication 382 ...
Страница 386: ... The TLS ALG 9 1 5 The TLS Alternative for VPN Chapter 9 VPN 386 ...
Страница 439: ...Figure 9 3 PPTP Client Usage 9 5 4 PPTP L2TP Clients Chapter 9 VPN 439 ...
Страница 450: ...9 7 6 Specific Symptoms Chapter 9 VPN 450 ...
Страница 488: ...10 4 6 Setting Up SLB_SAT Rules Chapter 10 Traffic Management 488 ...
Страница 503: ...11 6 HA Advanced Settings Chapter 11 High Availability 503 ...
Страница 510: ...12 3 5 Limitations Chapter 12 ZoneDefense 510 ...
Страница 533: ...13 9 Miscellaneous Settings Chapter 13 Advanced Settings 533 ...