To make use of this feature, the relevant
SSH Client Key
object or objects must first be defined
separately in NetDefendOS. Client keys are found as an object type within
Key Ring
in the Web
Interface. Definition requires the uploading of the public key file for the key pair used by the
client.
8.2.3. External RADIUS Servers
Reasons for Using External Servers
In a larger network topology with a larger administration workload, it is often preferable to have
a central authentication database on a dedicated server. When there is more than one
NetDefend Firewall in the network and thousands of users, maintaining separate authentication
databases on each device becomes problematic. Instead, an external authentication server can
validate username/password combinations by responding to requests from NetDefendOS. To
provide this, NetDefendOS supports the
Remote Authentication Dial-in User Service
(RADIUS)
protocol.
RADIUS Usage with NetDefendOS
NetDefendOS can act as a RADIUS client, sending user credentials and connection parameter
information as a RADIUS message to a designated RADIUS server. The server processes the
requests and sends back a RADIUS message to accept or deny them. One or more external
servers can be defined in NetDefendOS.
RADIUS Security
To provide security, a common
shared secret
is configured on both the RADIUS client and the
server. This secret enables encryption of the messages sent from the RADIUS client to the server
and is commonly configured as a relatively long text string. The string can contain up to 100
characters and is case sensitive.
RADIUS uses PPP to transfer username/password requests between client and RADIUS server, as
well as using PPP authentication schemes such as PAP and CHAP. RADIUS messages are sent as
UDP messages via UDP port
1812
.
The Primary Retry Interval
The
Primary Retry Interval
property for an
Authentication Interval
object, specifies the behavior
after the primary RADIUS server is unresponsive and a secondary server is used instead. If the
Primary Retry Interval
is set to zero, the selected secondary server will continue to be used even
through the primary server may become available later.
If set, the
Primary Retry Interval
property specifies the number of seconds to wait before
NetDefendOS tries to reach the primary server again. These retries will continue indefinitely. If
the primary server becomes available, NetDefendOS will immediately switch back to it from the
secondary.
Setting the Source IP
By default, the
Source IP
property will be set to
Automatic
and the IP address of the firewall's
sending interface will be used as the source address for traffic sent to the RADIUS server. If this
property is set to
Manual
, a specific source IP address can be used for traffic sent to the server.
If the source IP address is specified, the administrator must also manually configure
NetDefendOS to ARP publish the IP address on the sending interface. Doing this is described in
Chapter 8: User Authentication
614
Содержание NetDefendOS
Страница 30: ...Figure 1 3 Packet Flow Schematic Part III Chapter 1 NetDefendOS Overview 30 ...
Страница 32: ...Chapter 1 NetDefendOS Overview 32 ...
Страница 144: ...Chapter 2 Management and Maintenance 144 ...
Страница 220: ... Enable DHCP passthrough Enable L2 passthrough for non IP protocols 4 Click OK Chapter 3 Fundamentals 220 ...
Страница 267: ... SourceNetwork lannet DestinationInterface any DestinationNetwork all nets 4 Click OK Chapter 3 Fundamentals 267 ...
Страница 284: ...Chapter 3 Fundamentals 284 ...
Страница 360: ...The ospf command options are fully described in the separate NetDefendOS CLI Reference Guide Chapter 4 Routing 360 ...
Страница 392: ...Chapter 4 Routing 392 ...
Страница 396: ...Web Interface 1 Go to Network Ethernet If1 2 Select Enable DHCP 3 Click OK Chapter 5 DHCP Services 396 ...
Страница 419: ... Host 2001 DB8 1 MAC 00 90 12 13 14 15 5 Click OK Chapter 5 DHCP Services 419 ...
Страница 420: ...Chapter 5 DHCP Services 420 ...
Страница 424: ...2 Now enter Name lan_Access Action Expect Interface lan Network lannet 3 Click OK Chapter 6 Security Mechanisms 424 ...
Страница 573: ...Chapter 6 Security Mechanisms 573 ...
Страница 575: ...This section describes and provides examples of configuring NAT and SAT rules Chapter 7 Address Translation 575 ...
Страница 607: ...Chapter 7 Address Translation 607 ...
Страница 666: ...Chapter 8 User Authentication 666 ...
Страница 775: ...Chapter 9 VPN 775 ...
Страница 819: ...Chapter 10 Traffic Management 819 ...
Страница 842: ...Chapter 11 High Availability 842 ...
Страница 866: ...Default Enabled Chapter 13 Advanced Settings 866 ...
Страница 879: ...Chapter 13 Advanced Settings 879 ...