Authentication Rules; Ldap For Ppp With Chap, Ms-Chapv1 Or Ms-Chapv2 - D-Link NetDefend DFL-210 User Manual
Network security firewall ver 2.26.01
Hide thumbs
Also See for NetDefend DFL-210:
- Log reference manual (476 pages) ,
- User manual (469 pages) ,
- Cli reference manual (213 pages)
Table of Contents
Advertisement
8.2.5. Authentication Rules
This ID must be different from the default password attribute (which is usually userPassword
for most LDAP servers). A suggestion is to use the description field in the LDAP database.
•
In order for the server to return the password in the database field with the ID specified, the
LDAP administrator must make sure that the plain text password is found there. LDAP servers
store passwords in encrypted digest form and do not provide automatic mechanisms for doing
this. It must therefore be done manually by the administrator as they add new users and change
existing users passwords.
This clearly involves some effort from the administrator, as well as leaving passwords
dangerously exposed in plain text form on the LDAP server. These are some of the reasons why
LDAP may not be viewed as a viable authentication solution for CHAP, MS-CHAPv1 or
MS-CHAPv2 encrypted PPP.
When NetDefendOS receives the password digest from the client, it initiates a Search Request to the
LDAP server. The server replies with a Search Response which will contains the user's password
and any group memberships. NetDefendOS is then able to compare digests. The diagram below
illustrates this process.
Figure 8.2. LDAP for PPP with CHAP, MS-CHAPv1 or MS-CHAPv2
8.2.5. Authentication Rules
An Authentication Rule should be defined when the user establishing a connection through the
NetDefend Firewall is to be prompted for a username/password login sequence.
Authentication Rules are set up in a way that is similar to other NetDefendOS security policies, by
specifying which traffic is to be subject to the rule. They differ from other policies in that the
destination network/interface is not of interest but only the source network/interface. An
Authentication Rule has the following parameters:
Important: The link to the LDAP server must be protected
Since the LDAP server is sending back passwords in plain text to NetDefendOS, the
link between the NetDefend Firewall and the server must be protected. A VPN link
should be used if the link between the two is not local.
Access to the LDAP server itself must also be restricted as passwords will be stored in
plain text.
326
Chapter 8. User Authentication
Advertisement
Table of Contents
Troubleshooting
