Normal Ldap Authentication - D-Link NetDefend DFL-210 User Manual
Network security firewall
Hide thumbs
Also See for NetDefend DFL-210:
- User manual (495 pages) ,
- Log reference manual (476 pages) ,
- Cli reference manual (213 pages)
Table of Contents
Advertisement
8.2.4. External LDAP Servers
Chapter 8. User Authentication
gw-world:/> show LDAPDatabase
LDAP Authentication and PPP
When using a PPP based client for PPTP or L2TP access, special consideration has to be taken if
LDAP authentication is to succeed with CHAP, MS-CHAPv1 or MS-CHAPv2.
A. Normal LDAP Authentication
Normal LDAP authentication for Webauth, XAuth, or PPP with PAP security is illustrated in the
diagram below. An authentication bind request with the username and password is sent to the LDAP
server which then performs the authentication and sends back a bind response with the result.
Figure 8.1. Normal LDAP Authentication
The processing is different if a group membership is being retrieved since a request is sent to the
LDAP server to search for memberships and any group memberships are then sent back in a
response.
B. PPP Authentication with CHAP, MS-CHAPv1 or MS-CHAPv2
If CHAP, MS-CHAPv1 or MS-CHAPv2 are used for logon security, a digest of the user's password
will be sent to the D-Link Firewall by the client. To check the validity of this password,
NetDefendOS would theoretically need to retrieve the password or password digest from the LDAP
server. However, LDAP doesn't support either.
To solve the password authentication problem, an optional Password Attribute field needs to be
configured when configuring the LDAP server in NetDefendOS. This field must be different from
the default password attribute (this is userPassword in most LDAP databases). This may mean that
an update to the LDAP server database schema will also be required to add this new field. The
alternative to schema alteration is to use another unused field that was intended for another purpose.
When NetDefendOS receives the password digest from the client, it then initiates a Search Request
to the LDAP server. The server replies with a Search Response which contains the user's password
and any group memberships. NetDefendOS is then able to create a digest of the password to
compare with the digest sent by the client. A successful digest match then results in successful
authentication.
The essential difference with the normal event sequence in A above is that it is the D-Link Firewall
itself which is performing the authentication.
308
- Quick Links:
- The Cli
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
