D-Link NetDefendOS User Manual page 654

By default, a user is authenticated using the same interface that is used for forwarding data
traffic and that is the value set for the Source Interface property above. This can pose a
security risk and it is recommended to use different interfaces for these two functions. The
Override User Data Interface property is set to the interface used only for data. Usually Source
Interface and Override User Data Interface will be two different VLANs running over the
physical interface connected to the AP. This is discussed further below.
• Routing Table
When the UE is authenticated and it receives an IP address, a route to its IP will be
automatically added to this routing table. Usually, the default main routing table is used.
• Remote Server IP
This is the IP address of the RADIUS server that will perform UE authentication.
• Remote Server Port
This is the port number of the RADIUS server that will perform UE authentication. The default
value is 1812 which is the standard for RADIUS.
• Sending IP
This optional IP address will be used as the sending IP of the request sent to the RADIUS
server. If not set, the IP address of the sending interface will be used. The sending interface is
determined by a route lookup of the RADIUS server's IP address.
• Idle Timeout
After this amount of seconds without traffic from the authenticated user, the user will be
automatically logged out.
• Session Timeout
This is the absolute allowed length of a authenticated used session in seconds. This is
normally set to zero, meaning a session of infinite length.
• Use Timeouts Received from Authentication Server
If this property is enabled and the RADIUS server is correctly configured, the Idle Timeout and
Session Timeout properties will take values sent by the RADIUS server.
Separate Authentication and Data Traffic
It is strongly recommended to set the property Override User Data Interface to the interface
used only for the data traffic so that it is different from the interface assigned to the Source
Interface property for the authentication traffic. Typically, they will be set to two different VLAN
interfaces which will run over the same physical Ethernet interface and which is connected to the
AP. This will fully separate the authentication data going to the RADIUS server from the data
flowing to the backbone network. Not doing this will pose a security risk.
The following should be noted when using the Override User Data Interface property:
• The administrator must ensure the AP sends authentication and data traffic are sent over the
correct VLANs.
• The interface used for the DHCP server object which hands out IP addresses will be the
interface used for the data (the Override User Data Interface) and not the interface used for
authentication (the Source Interface).
654
Chapter 8: User Authentication