Table of Contents
Advertisement
i.
HTML form - The user is presented with an HTML page for authentication which is filled
in and the data sent back to NetDefendOS with a POST.
ii.
BASIC authentication - This sends a 401 - Authentication Required message back to
the browser which will cause it to use its own inbuilt dialog to ask the user for a
username/password combination. A Realm String can optionally be specified which will
appear in the browser's dialog.
HTML form is recommended over BASICAUTH because, in some cases, the browser
might hold the login data in its cache.
iii.
MAC authentication - Authentication is performed for HTTP and HTTPS clients without a
login screen. Instead, the MAC address of the connecting client is used as the username.
The password is the MAC address or a specified string.
MAC authentication is explained further in Section 8.3, "ARP Authentication".
•
If the Agent is set to HTTPS then the Host Certificate and Root Certificate(s) have to be
chosen from a list of certificates already loaded into NetDefendOS. Certificate chaining is
supported for the root certificate.
IP Rules are Needed
HTTP authentication cannot operate unless a rule is added to the IP rule set to explicitly allow
authentication to take place. This is also true with HTTPS.
If we consider the example of a number of clients on the local network lannet who would like
access to the public Internet through the wan interface then the IP rule set would contain the
following rules:
#
Action
1
Allow
2
NAT
3
NAT
The first rule allows the authentication process to take place and assumes the client is trying to
access the lan_ip IP address, which is the IP address of the interface on the NetDefend Firewall
where the local network connects.
The second rule allows normal surfing activity but we cannot just use lannet as the source
network since the rule would trigger for any unauthenticated client from that network. Instead,
the source network is an administrator defined IP object called trusted_users which is the same
network as lannet but has additionally either the Authentication option No Defined Credentials
enabled or has an Authentication Group assigned to it (which is the same group as that assigned
to the users).
The third rule allows DNS lookup of URLs.
Note
Do not modify the default http-all service in the IP rules above. This can cause
authentication to fail.
Forcing Users to a Login Page
Src Interface
Src Network
lan
lannet
lan
trusted_users
lan
lannet
628
Chapter 8: User Authentication
Dest Interface Dest Network
core
lan_ip
wan
all-nets
wan
all-nets
Service
http-all
http-all
dns-all
- Quick Links:
- User Manual
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
