D-Link DFL-260E User Manual page 400
Network security firewall netdefendos version 2.40.00
Hide thumbs
Also See for DFL-260E:
- Reference manual (948 pages) ,
- Log reference manual (652 pages) ,
- User manual (552 pages)
Table of Contents
Advertisement
8.2.8. HTTP Authentication
setting WebUI HTTP Port. Port number 81 could instead, be used for this setting.
The same is true for HTTPS authentication and the default HTTPS management port number of 443
must also be changed.
HTTP(s) Agent Options
For HTTP and HTTPS authentication there is a set of options in an authentication rule called Agent
Options. These are:
•
Login Type - This can be one of:
i.
HTML form - The user is presented with an HTML page for authentication which is filled
in and the data sent back to NetDefendOS with a POST.
ii.
BASIC authentication - This sends a 401 - Authentication Required message back to the
browser which will cause it to use its own inbuilt dialog to ask the user for a
username/password combination. A Realm String can optionally be specified which will
appear in the browser's dialog.
HTML form is recommended over BASICAUTH because, in some cases, the browser
might hold the login data in its cache.
iii. MAC authentication - Authentication is performed for HTTP and HTTPS clients without a
login screen. Instead, the MAC address of the connecting client is used as the username.
The password is the MAC address or a specified string.
MAC authentication is explained further below.
•
If the Agent is set to HTTPS then the Host Certificate and Root Certificate have to be chosen
from a list of certificates already loaded into NetDefendOS.
MAC Address Authentication with HTTP and HTTPS
As mentioned above, with NetDefendOS it is possible to authenticate an HTTP or HTTPS client
automatically using the MAC address of the connecting client's Ethernet interface. This means that
authentication is based only on the identity of the client hardware.
This is useful if the administrator wants to ensure that access is simple for a particular device and
the user is not going to be requred to type in their credentials. The following points should be noted
about this type of authentication:
•
The username sent to the authentication source (for example, a RADIUS server) is always the
MAC address of the client (or the MAC address of an intervening router).
•
If the client connects to the firewall via a router, it is the MAC address of the router and not the
client that is sent to the gateway. If the router MAC address is to be allowed as a substitute for
the client's MAC address then this must be explicity enabled with the authentication rule option
Allow clients behind router to connect.
NetDefendOS is able to determine that the client is behind a router by detecting the mismatch
between the source IP address and the router MAC address.
•
By default, the password sent to the authentication source (for example, a RADIUS server) is
also the MAC address of the client (or the MAC address of an intervening router). However, the
password to be used can be explicitly specified as the authentication rule property MAC Auth
Secret.
•
The MAC address is entered as a text string in the database of the authentication source. This
text string must follow a specific format for the MAC address. The correct format is a series of
400
Chapter 8. User Authentication
Advertisement
Table of Contents
Troubleshooting
