Table of Contents
Advertisement
available to clients. Authentication of a server is achieved by opening a single connection once
to NetDefendOS as though the server were a client.
The purpose of this is to restrict access to certain networks to a particular group by having IP
rules or policies which will only apply to members of that group. To gain access to a resource
there must be an IP rule or policy that allows it and the client must belong to the same group as
that specified for the Source Network or Destination Network address object.
For an example of setting up user authentication using group membership, see Example 8.4,
"User Authentication Setup for Web Access" which is found later in this section.
PPTP/L2TP Configuration
If a client is connecting to the NetDefend Firewall using PPTP/L2TP then the following three
options called also be specified for the local NetDefendOS user database:
•
Static Client IP Address
This is the IP address which the client must have if it is to be authenticated. If it is not
specified then the user can have any IP. This option offers extra security for users with fixed IP
addresses.
•
Network behind user
If a network is specified for this user then when the user connects, a route is automatically
added to the NetDefendOS main routing table. This existence of this added route means that
any traffic destined for the specified network will be correctly routed through the user's
PPTP/L2TP tunnel.
When the connection to the user ends, the route is automatically removed by NetDefendOS.
Caution: Use the network option with care
The administrator should think carefully what the consequences of using this option
will be. For example, setting this option to all-nets will possibly direct all Internet
traffic through the tunnel to this user.
•
Metric for Networks
If the Network behind user option is specified then this is the metric that will be used with
the route that is automatically added by NetDefendOS. If there are two routes which give a
match for the same network then this metric decides which should be used.
Note: Other authentication sources do not have the PPTP/L2TP
option
Specifying an SSH Public Key
With PPTP/L2TP clients, using a key is often an alternative to specifying a username and
password. A private key can be specified for a local database user by selecting a previously
uploaded NetDefendOS SSH Client Key object.
When the user connects, there is an automatic checking of the keys used by the client to verify
their identity. Once verified, there is no need for the user to input their username and password.
613
Chapter 8: User Authentication
- Quick Links:
- User Manual
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
