Users; The Dfl-1100 Radius Support - D-Link DFL-1100 User Manual
Network security firewall
Hide thumbs
Also See for DFL-1100:
- User manual (144 pages) ,
- Manual (91 pages) ,
- Installation manual (25 pages)
Table of Contents
Advertisement
Users
User Authentication allows an administrator to grant or reject access to specific users from
specific IP addresses, based on their user credentials.
Before any traffic is allowed to pass through any policies configured with username or groups,
the users must first be authenticated. The DFL-1100 can either verify the user against a local
database, or pass along the user information to an external authentication server. This server
will verify the user and the given password, and transmit the results back to the firewall. If the
authentication is successful, the DFL-1100 will remember the source IP address of this user,
and any matching policies with usernames or groups configured will be allowed. Specific
policies that deal with user authentication can be defined, thus leaving policies that do not
require user authentication unaffected.
The DFL-1100 supports the RADIUS (Remote Authentication Dial In User Service)
authentication protocol. This protocol is heavily used in many scenarios where user
authentication is required, either by itself or as a front-end to other authentication services.
The DFL-1100 RADIUS Support
The DFL-1100 can use the RADIUS server to verify users against the Active Directory or Unix
password-file. It is possible to configure up to two servers; if the first one is down it will try the
second IP instead.
The DFL-1100 can use CHAP or PAP when communicating with the RADIUS server. CHAP
(Challenge Handshake Authentication Protocol) does not allow a remote attacker to extract
the user password from an intercepted RADIUS packet. However, the password must be
stored in plaintext on the RADIUS server. PAP (Password Authentication Protocol) might be
defined as the less secure of the two. If a RADIUS packet is intercepted while being
transmitted between the firewall and the RADIUS server, the user password can be extracted,
given time. The upside to this is that the password does not have to be stored in plaintext in
the RADIUS server.
The DFL-1100 uses a shared secret when connecting to the RADIUS server. The shared
secret enables basic encryption of the user password when the RADIUS-packet is transmitted
from the firewall to the RADIUS server. The shared secret is case sensitive, can contain up to
100 characters, and must be typed exactly the same on both the firewall and the RADIUS
server.
Advertisement
Table of Contents
