External Radius Servers; External Ldap Servers - D-Link DFL-1660 User Manual

8.2.3. External RADIUS Servers

NetDefendOS SSH Client Key object.
When the user connects, there is an automatic checking of the keys used by the client to verify their
identity. Once verified, there is no need for the user to input their username and password.
To make use of this feature, the relevant SSH Client Key object or objects must first be defined
separately in NetDefendOS. Client keys are found as an object type within Authentication Objects in
the Web Interface. Definition requires the uploading of the public key file for the key pair used by
the client.
8.2.3. External RADIUS Servers
Reasons for Using External Servers
In a larger network topology with a larger administration workload, it is often preferable to have a
central authentication database on a dedicated server. When there is more than one NetDefend
Firewall in the network and thousands of users, maintaining separate authentication databases on
each device becomes problematic. Instead, an external authentication server can validate
username/password combinations by responding to requests from NetDefendOS. To provide this,
NetDefendOS supports the Remote Authentication Dial-in User Service (RADIUS) protocol.
RADIUS Usage with NetDefendOS
NetDefendOS can act as a RADIUS client, sending user credentials and connection parameter
information as a RADIUS message to a designated RADIUS server. The server processes the
requests and sends back a RADIUS message to accept or deny them. One or more external servers
can be defined in NetDefendOS.
RADIUS Security
To provide security, a common shared secret is configured on both the RADIUS client and the
server. This secret enables encryption of the messages sent from the RADIUS client to the server
and is commonly configured as a relatively long text string. The string can contain up to 100
characters and is case sensitive.
RADIUS uses PPP to transfer username/password requests between client and RADIUS server, as
well as using PPP authentication schemes such as PAP and CHAP. RADIUS messages are sent as
UDP messages via UDP port 1812.
Support for Groups
RADIUS authentication supports the specification of groups for a user. This means that a user can
also be specified as being in the administrators or auditors group.
The RADIUS Vendor ID
When configuring the RADIUS server itself to communicate with NetDefendOS, it is necessary to
enter a value for the Vendor ID (vid). This value should be specified as 5089.

8.2.4. External LDAP Servers

Lightweight Directory Access Protocol (LDAP) servers can also be used with NetDefendOS as an
authentication source. This is implemented by the NetDefend Firewall acting as a client to one or
more LDAP servers. Multiple servers can be configured to provide redundancy if any servers
become unreachable.
395
Chapter 8. User Authentication