iii.
The user's IP.
•
The user's IP address is now authenticated to NetDefendOS and connections coming from
that IP are permitted through the firewall if an
IP Rule
or
IP Policy
is defined to allow it.
•
A client attempts to open a connection through NetDefendOS.
•
A NetDefendOS
IP Rule
or
IP Policy
object is triggered that could allow this connection.
•
The source network address object for the triggered rule or policy has an associated
authentication list of allowed usernames and groups. If the client is part of this list, the
connection can be established.
The
IP Rule
or
IP Policy
object that is created for authentication has the dual purpose of
identifying and allowing the connection as well as triggering the authentication process. NAT
could also be a function included in the rule or policy.
Setting Up Identity Awareness
To set up identity awareness, the following steps are required:
•
Install and configure the
Identity Awareness Agent
(IDA) software on one or more domain
servers. The servers can be either a domain controller or a domain member. The IDA software
is described in more detail at the end of this section. Installation on a single server is sufficient
but installation on multiple servers will provide redundancy.
•
Configure an
Authentication Agent
object in NetDefendOS which has
IP Address
and
Pre-shared Key
properties that correspond to the ones used by the agents installed on the
domain servers. A separate
Authentication Agent
object should be created for each server in
the domain which has the IDA software installed.
If the
Pre-shared Key
property is not specified, this defaults to the value of the predefined
PSK
object
auth_agent_psk
. This is also the default key value used by the D-Link
Identity
Awareness Agent
. However, the default key is the same across all NetDefendOS systems and
should be used for testing purposes only.
An IP rule or IP policy is not needed in NetDefendOS to allow the traffic coming from the
agent.
•
Configure an address book
IP4 Address
object that defines the IP address, IP range or network
from which authenticating clients will come.
Important: In the
Authentication
property of this address object, specify the usernames
and/or groups which are allowed to create connections. Usernames must be specified in the
format
username@domain
. For example,
. If this format with the @
symbol is not used and a simple string is used, for example
myusername
, then this will be
treated as a group.
•
Specify an
IP Rule
or
IP Policy
object in the NetDefendOS configuration that triggers on the
client connections to be authenticated and allows them to be opened. The source network
for this rule or policy must be the IPv4 address object specified in the previous step.
It is the triggering of this rule or policy that triggers the authentication process.
Example 8.7. Enabling User Identity Awareness
This example assumes that there are external clients on a network
client_net
connected to the
If1
Chapter 8: User Authentication
642
Содержание NetDefendOS
Страница 30: ...Figure 1 3 Packet Flow Schematic Part III Chapter 1 NetDefendOS Overview 30 ...
Страница 32: ...Chapter 1 NetDefendOS Overview 32 ...
Страница 144: ...Chapter 2 Management and Maintenance 144 ...
Страница 220: ... Enable DHCP passthrough Enable L2 passthrough for non IP protocols 4 Click OK Chapter 3 Fundamentals 220 ...
Страница 267: ... SourceNetwork lannet DestinationInterface any DestinationNetwork all nets 4 Click OK Chapter 3 Fundamentals 267 ...
Страница 284: ...Chapter 3 Fundamentals 284 ...
Страница 360: ...The ospf command options are fully described in the separate NetDefendOS CLI Reference Guide Chapter 4 Routing 360 ...
Страница 392: ...Chapter 4 Routing 392 ...
Страница 396: ...Web Interface 1 Go to Network Ethernet If1 2 Select Enable DHCP 3 Click OK Chapter 5 DHCP Services 396 ...
Страница 419: ... Host 2001 DB8 1 MAC 00 90 12 13 14 15 5 Click OK Chapter 5 DHCP Services 419 ...
Страница 420: ...Chapter 5 DHCP Services 420 ...
Страница 424: ...2 Now enter Name lan_Access Action Expect Interface lan Network lannet 3 Click OK Chapter 6 Security Mechanisms 424 ...
Страница 573: ...Chapter 6 Security Mechanisms 573 ...
Страница 575: ...This section describes and provides examples of configuring NAT and SAT rules Chapter 7 Address Translation 575 ...
Страница 607: ...Chapter 7 Address Translation 607 ...
Страница 666: ...Chapter 8 User Authentication 666 ...
Страница 775: ...Chapter 9 VPN 775 ...
Страница 819: ...Chapter 10 Traffic Management 819 ...
Страница 842: ...Chapter 11 High Availability 842 ...
Страница 866: ...Default Enabled Chapter 13 Advanced Settings 866 ...
Страница 879: ...Chapter 13 Advanced Settings 879 ...