Authentication Setup; Setup Summary; The Local Database; External Radius Servers - D-Link NetDefend DFL-210 User Manual

8.2. Authentication Setup

8.2. Authentication Setup

8.2.1. Setup Summary

The following list summarizes the steps for User Authentication setup with NetDefendOS:
• Set up a database of users, each with a username/password combination. This can exist locally in
a NetDefendOS User DB object, or remotely on a RADIUS server and will be designated as the
Authentication Source. Membership of an Authentication Group can optionally be specified for
each user.
• Define an Authentication Rule which describes which traffic is to be authenticated and which
Authentication Source will be used. These are described further in Section 8.2.5,
"Authentication Rules".
• If required, define an IP object for the IP addresses of the clients that will be authenticated. This
can be associated directly with an authentication rule as the originator IP or can be associate
with an Authentication Group.
• Set up IP rules to allow the authentication to take place and also to allow access to resources by
the clients belonging to the IP object set up in the previous step.
The following sections describe the components of these steps in detail.
Authentication Sources
The database that an Authentication Rule uses to check a user's username/password combination can
be one of the following types:
• The local user database internal to NetDefendOS.
• A RADIUS server which is external to the NetDefend Firewall.
• An LDAP Server which is also external to the NetDefend Firewall.

8.2.2. The Local Database

The Local User Database is a built-in registry inside NetDefendOS which contains the profiles of
authorized users and user groups. Usernames and passwords can be entered into this database, and
users with the same privileges can be collected together into groups to make administration easier.
There are two default user groups, the administrators group and the auditors group. Users that are
members of the administrators group are allowed to change the NetDefendOS configuration, while
users that belong to the auditors group are only allowed to view the configuration. Press the buttons
under the Groups edit box to grant these group memberships to a user.

8.2.3. External RADIUS Servers

Reasons for External Servers
In a larger network topology with a larger administration workload, it is often preferable to have a
central authentication database on a dedicated server. When there is more than one NetDefend
Firewall in the network and thousands of users, maintaining separate authentication databases on
each device becomes problematic. Instead, an external authentication server can validate
username/password combinations by responding to requests from NetDefendOS. To provide this,
NetDefendOS supports the Remote Authentication Dial-in User Service (RADIUS) protocol.
319
Chapter 8. User Authentication