Maximum number of certificates/CRLs that can be held in the internal certificate cache. When the
certificate cache is full, entries will be removed according to an LRU (Least Recently Used)
algorithm.
Default:
1024
IPsec Gateway Name Cache Time
Length of time in milliseconds to keep an IPsec tunnel open when the remote DNS name fails to
resolve.
Default:
14400
General Settings (IKEv2 only)
Enable Accounting
When enabled, NetDefendOS will generate a RADIUS
START
accounting message for clients
which successfully authenticate using EAP. When the connection is taken down, a RADIUS
STOP
message is sent.
Default:
Disabled
Include Framed IP
When enabled, NetDefendOS will include the client's IP address within the RADIUS accounting
messages generated.
Note that when an EAP authenticating client is behind a NAT device that changes the client's
apparent IP address, it will not be possible to send the true IP address to the RADIUS server.
Default:
Disabled
XCBC Fallback
When enabled, NetDefendOS will fallback to using XCBC (RFC 3664) if XCBC (RFC 4344) fails
during EAP authentication.
AES-XCBC-MAC is a method of generating the message authentication code (MAC) used in IKEv2
negotiations. RFC 3664 states that only key lengths of 128 bits are supported for AES-XCBC-MAC.
This is a problem with EAP since EAP authentication uses session keys of at least 512 bits. To
solve this, using only the first 128 bits of a 512 bits EAP key has become a de-facto standard for
RFC 3664.
RFC 4434 supersedes RFC 3664 and specifies a different method of adapting keys longer than
128 bits. Although RFC 4434 should theoretically be backward compatible with RFC 3664, these
different methods of adapting the key to 128 bits are not compatible in practice. This advanced
setting provides a way to fallback to using the older RFC 3664 method should authentication
using RFC 4434 fail.
If the setting is disabled then only the newer method of RFC 4434 is used and if that method fails
then authentication will fail. The disadvantage of having this setting enabled is the greater
amount of computing time needed to try both the RFC 4434 and RFC 3664 method.
Chapter 9: VPN
725
Содержание NetDefendOS
Страница 30: ...Figure 1 3 Packet Flow Schematic Part III Chapter 1 NetDefendOS Overview 30 ...
Страница 32: ...Chapter 1 NetDefendOS Overview 32 ...
Страница 144: ...Chapter 2 Management and Maintenance 144 ...
Страница 220: ... Enable DHCP passthrough Enable L2 passthrough for non IP protocols 4 Click OK Chapter 3 Fundamentals 220 ...
Страница 267: ... SourceNetwork lannet DestinationInterface any DestinationNetwork all nets 4 Click OK Chapter 3 Fundamentals 267 ...
Страница 284: ...Chapter 3 Fundamentals 284 ...
Страница 360: ...The ospf command options are fully described in the separate NetDefendOS CLI Reference Guide Chapter 4 Routing 360 ...
Страница 392: ...Chapter 4 Routing 392 ...
Страница 396: ...Web Interface 1 Go to Network Ethernet If1 2 Select Enable DHCP 3 Click OK Chapter 5 DHCP Services 396 ...
Страница 419: ... Host 2001 DB8 1 MAC 00 90 12 13 14 15 5 Click OK Chapter 5 DHCP Services 419 ...
Страница 420: ...Chapter 5 DHCP Services 420 ...
Страница 424: ...2 Now enter Name lan_Access Action Expect Interface lan Network lannet 3 Click OK Chapter 6 Security Mechanisms 424 ...
Страница 573: ...Chapter 6 Security Mechanisms 573 ...
Страница 575: ...This section describes and provides examples of configuring NAT and SAT rules Chapter 7 Address Translation 575 ...
Страница 607: ...Chapter 7 Address Translation 607 ...
Страница 666: ...Chapter 8 User Authentication 666 ...
Страница 775: ...Chapter 9 VPN 775 ...
Страница 819: ...Chapter 10 Traffic Management 819 ...
Страница 842: ...Chapter 11 High Availability 842 ...
Страница 866: ...Default Enabled Chapter 13 Advanced Settings 866 ...
Страница 879: ...Chapter 13 Advanced Settings 879 ...