Any packets from an IP address that fails authentication are discarded.
8.2.7. A Group Usage Example
To illustrate Authentication Group usage, lets suppose that there are a set of users which will login
from a network 192.168.1.0/24 connected to the lan interface. The requirement is to restrict access
to a network called important_net on the int interface to one group of trusted users, while the other
less-trusted users can only access another network called regular_net on the dmz interface.
Assuming we using the internal database of users as the authentication source, we add the users to
this database with appropriate username/password pairs and a specific Group string. One set of
users would be assigned to the group with the name trusted and the other to the group with the name
untrusted.
We now define two IP objects for the same network 192.168.1.0/24. One IP object is called
untrusted_net and has its Group parameter set to the string untrusted. The other IP object is called
trusted_net and its Group parameter is set to the string untrusted.
The final step is to set up the rules in the IP rule set as shown below:
#
Action
Src Interface
Src Network
Dest Interface Dest Network
Service
1
Allow
lan
trusted_net
int
important_net
All
2
Allow
lan
untrusted_net
dmz
regular_net
All
If we wanted to allow the trusted group users to also be able to access the regular network we could
add a third rule to permit this:
#
Action
Src Interface
Src Network
Dest Interface Dest Network
Service
1
Allow
lan
trusted_net
int
important_net
All
2
Allow
lan
trusted_net
dmz
regular_net
All
3
Allow
int
untrusted_net
dmz
regular_net
All
8.2.8. HTTP Authentication
Where users are communicating through a web browser using the HTTP protocol then
authentication can be done by presenting the user with HTML pages to retrieve required user
information. This is sometimes referred to as WebAuth and the setup requires further considerations.
Changing the Management WebUI Port
HTTP authentication will collide with the WebUI's remote management service which also uses
TCP port 80. To avoid this, the WebUI port number should be changed before configuring
authentication. Do this by going to Remote Management > advanced settings in the WebUI and
changing the setting WebUI HTTP Port. Port number 81 could instead, be used for this setting.
Agent Options
For HTTP and HTTPS authentication there is a set of options in Authentication Rules called Agent
Options. These are:
•
Login Type - This can be one of:
i.
FORM - The user is presented with an HTML page for authentication which is filled in and
the data sent back to NetDefendOS with a POST.
ii.
BASICAUTH - This sends a 401 - Authentication Required message back to the browser
which will cause it to use its own inbuilt dialog to ask the user for a username/password
8.2.7. A Group Usage Example
Chapter 8. User Authentication
375
Summary of Contents for NetDefend DFL-260E
Page 27: ...1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 27...
Page 79: ...2 7 3 Restore to Factory Defaults Chapter 2 Management and Maintenance 79...
Page 146: ...3 9 DNS Chapter 3 Fundamentals 146...
Page 227: ...4 7 5 Advanced Settings for Transparent Mode Chapter 4 Routing 227...
Page 241: ...5 4 IP Pools Chapter 5 DHCP Services 241...
Page 339: ...6 7 Blacklisting Hosts and Networks Chapter 6 Security Mechanisms 339...
Page 360: ...7 4 7 SAT and FwdFast Rules Chapter 7 Address Translation 360...
Page 382: ...8 3 Customizing HTML Pages Chapter 8 User Authentication 382...
Page 386: ...The TLS ALG 9 1 5 The TLS Alternative for VPN Chapter 9 VPN 386...
Page 439: ...Figure 9 3 PPTP Client Usage 9 5 4 PPTP L2TP Clients Chapter 9 VPN 439...
Page 450: ...9 7 6 Specific Symptoms Chapter 9 VPN 450...
Page 488: ...10 4 6 Setting Up SLB_SAT Rules Chapter 10 Traffic Management 488...
Page 503: ...11 6 HA Advanced Settings Chapter 11 High Availability 503...
Page 510: ...12 3 5 Limitations Chapter 12 ZoneDefense 510...
Page 533: ...13 9 Miscellaneous Settings Chapter 13 Advanced Settings 533...