Users; The Dfl-1100 Radius Support - D-Link DFL-1100 User Manual

Network security firewall

Hide thumbs Also See for DFL-1100:

Manual (91 pages)

User manual (86 pages)

Installation manual (25 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

page of 144

/ 144
Contents
Table of Contents
Bookmarks

Table of Contents

Users

User Authentication allows an administrator to grant or reject access to specific users from

specific IP addresses, based on their user credentials.

Before any traffic is allowed to pass through any policies configured with username or

groups, the user must first authenticate him/her-self. The DFL-1100 can either verify the user

against a local database or pass along the user information to an external authentication

server, which verifies the user and the given password, and transmits the result back to the

firewall. If the authentication is successful, the DFL-1100 will remember the source IP address

of this user, and any matching policies with usernames or groups configured will be allowed.

Specific policies that deal with user authentication can be defined, thus leaving policies that

do not require user authentication unaffected.

The DFL-1100 supports the RADIUS (Remote Authentication Dial In User Service)

authentication protocol. This protocol is heavily used in many scenarios where user

authentication is required, either by itself or as a front-end to other authentication services.

The DFL-1100 RADIUS Support

The DFL-1100 can use RADIUS to verify users against, for example, Active Directory or

Unix password-file. It is possible to configure up to two servers, if the first one is down it will

try the second IP instead.

The DFL-1100 can use CHAP or PAP when communicating with the RADIUS server.

CHAP (Challenge Handshake Authentication Protocol) does not allow a remote attacker to

extract the user password from an intercepted RADIUS packet. However, the password must

be stored in plaintext on the RADIUS server. PAP (Password Authentication Protocol) may be

defined as the less secure of the two. If a RADIUS packet is intercepted while being

transmitted between the firewall and the RADIUS server, given time, the user password can

be extracted. The advantage to this is that the password does not have to be stored in

plaintext in the RADIUS server.

The DFL-1100 uses a shared secret when connecting to the RADIUS server. The shared

secret enables basic encryption of the user password when the RADIUS-packet is transmitted

from the firewall to the RADIUS server. The shared secret is case sensitive, can contain up to

100 characters, and must be typed exactly the same on both the firewall and the RADIUS

server.

Table of Contents

This manual is also suitable for:

Netdefend dfl-1100

Users; The Dfl-1100 Radius Support - D-Link DFL-1100 User Manual

Users

The DFL-1100 RADIUS Support

Related Manuals for D-Link DFL-1100

Related Content for D-Link DFL-1100

This manual is also suitable for:

Table of Contents