Authentication Rules - D-Link NetDefend DFL-210 User Manual

8.2.4. Authentication Rules

NetDefendOS acts as a RADIUS client, sending user credentials and connection parameter
information as a RADIUS message to a nominated RADIUS server. The server processes the
requests and sends back a RADIUS message to accept or deny them. One or more external servers
can be defined in NetDefendOS.
RADIUS Security
To provide security, a common shared secret is configured on both the RADIUS client and the
server. This secret enables encryption of the messages sent from the RADIUS client to the server
and is commonly configured as a relatively long text string. The string can contain up to 100
characters and is case sensitive.
RADIUS uses PPP to transfer username/password requests between client and RADIUS server, as
well as using PPP authentication schemes such as PAP and CHAP. RADIUS messages are sent as
UDP messages via UDP port 1812.
8.2.4. Authentication Rules
Authentication Rules are set up in a way that is similar to other NetDefendOS security policies, by
specifying which traffic is to be subject to the rule. They differ from other policies in that the
destination network/interface is not of interest but only the source network/interface. An
Authentication Rule has the following parameters:
• Interface - The source interface on which the connections to be authenticated will arrive.
• Source IP - The source network from which these connections will arrive.
• Authentication Source - This specifies that authentication is to be done against a Local
database defined within NetDefendOS or by using a RADIUS server (discussed in detail below).
• Agent - The type of traffic being authenticated. This can one of:
• HTTP or HTTPS - Web connections to be authenticated via a pre-defined or custom web
page (see the detailed HTTP explanation below).
• PPP - L2TP or PPP tunnel authentication.
• XAUTH - IKE authentication which is part of IPsec tunnel establishment.
Connection Timeouts
An Authentication Rule can specify the following timeouts related to a user session:
• Idle Timeout - How long a connection is idle before being automatically terminated (1800
seconds by default).
• Session Timeout - The maximum time that a connection can exist (no value is specified by
default).
If an authentication server is being used then the option to Use timeouts received from the
authentication server can be enabled to have these values set from the server.
Multiple Logins
An Authentication Rule can specify how multiple logins are handled where more than one user from
different source IP addresses try to login with the same username. The possible options are:
• Allow multiple logins so that more than one client can use the same username/password
222
Chapter 8. User Authentication