8.3. ARP Authentication
ARP authentication
(sometimes referred to as
MAC authentication
) is authentication based on the
MAC address of a connecting client's Ethernet interface. This is useful if the administrator wants
to ensure that access is simple for a particular device and the user will not be required to type in
their credentials. NetDefendOS sends the MAC address of the connecting client to a RADIUS or
LDAP server which looks the address up in its database and tells NetDefendOS if the client is
authenticated or not. (Using a local database with ARP authentication is not supported.)
ARP authentication can be configured in one of two ways:
•
For HTTP or HTTPS traffic only
In an authentication rule with the
Authentication agent
set to
HTTP
or
HTTPS
, set the
Login
type
under
Agent Options
to be
MAC authentication
.
•
For any type of traffic using ARP Cache
Set the
User Agent
of the authentication rule to be
ARPCache
and set the
Authentication
Source
to be
RADIUS
or
LDAP
.
Unlike the previous method, this can be used for any traffic but has the disadvantage of
requiring further steps which are explained next.
Note that if the
Authentication Source
is set to
Allow
, all users will be automatically
authenticated without reference to a database. The only advantage to doing this is that the
administrator can easily see a list of logged in users by going to: Status > Run-time
Information > User Authentication in the Web Interface.
Other Steps with the ARP Cache Method
When using the ARP Cache method, there are some other configuration steps that the
administrator must take so that the NetDefendOS ARP cache contains the data needed for
successful authentication:
•
There must be a second IP rule below the
Allow
or
NAT
IP rule that has action of
Reject
. This
ensures that clients that are not yet authenticated will still have their MAC addresses placed
into the ARP cache. If the second rule is not present, authentication will not work.
•
The time between ARP cache refreshes should be adjusted downwards so that should a
connection be broken, for instance by an idle timeout, the cache is updated within a
reasonable time. This is done by reducing the ARP advanced setting
ARP expire
.
If a connection idle timeout occurs then the affected client will not be able to login again
until the cache is updated. An acceptable value for the ARP expire setting needs to be
determined based on the size of the network. A large network may need a higher value. The
ARP expire setting must be lower than the connection timeout setting.
Sending the MAC Address to a Server
In both the above methods of ARP authentication, NetDefendOS will use a RADIUS or LDAP
server to authenticate the client. NetDefendOS will always send the MAC address itself as the
username when communicating with the server.
By default, the password sent to the server is also the client's MAC address. However, this can be
changed to a specific password by setting the
MAC Auth Secret
property of the authentication
rule object.
Chapter 8: User Authentication
633
Содержание NetDefendOS
Страница 30: ...Figure 1 3 Packet Flow Schematic Part III Chapter 1 NetDefendOS Overview 30 ...
Страница 32: ...Chapter 1 NetDefendOS Overview 32 ...
Страница 144: ...Chapter 2 Management and Maintenance 144 ...
Страница 220: ... Enable DHCP passthrough Enable L2 passthrough for non IP protocols 4 Click OK Chapter 3 Fundamentals 220 ...
Страница 267: ... SourceNetwork lannet DestinationInterface any DestinationNetwork all nets 4 Click OK Chapter 3 Fundamentals 267 ...
Страница 284: ...Chapter 3 Fundamentals 284 ...
Страница 360: ...The ospf command options are fully described in the separate NetDefendOS CLI Reference Guide Chapter 4 Routing 360 ...
Страница 392: ...Chapter 4 Routing 392 ...
Страница 396: ...Web Interface 1 Go to Network Ethernet If1 2 Select Enable DHCP 3 Click OK Chapter 5 DHCP Services 396 ...
Страница 419: ... Host 2001 DB8 1 MAC 00 90 12 13 14 15 5 Click OK Chapter 5 DHCP Services 419 ...
Страница 420: ...Chapter 5 DHCP Services 420 ...
Страница 424: ...2 Now enter Name lan_Access Action Expect Interface lan Network lannet 3 Click OK Chapter 6 Security Mechanisms 424 ...
Страница 573: ...Chapter 6 Security Mechanisms 573 ...
Страница 575: ...This section describes and provides examples of configuring NAT and SAT rules Chapter 7 Address Translation 575 ...
Страница 607: ...Chapter 7 Address Translation 607 ...
Страница 666: ...Chapter 8 User Authentication 666 ...
Страница 775: ...Chapter 9 VPN 775 ...
Страница 819: ...Chapter 10 Traffic Management 819 ...
Страница 842: ...Chapter 11 High Availability 842 ...
Страница 866: ...Default Enabled Chapter 13 Advanced Settings 866 ...
Страница 879: ...Chapter 13 Advanced Settings 879 ...