D-Link DFL-200 Users

34

Users

User Authentication allows an administrator to grant or reject access to specific users from

specific IP addresses, based on their user credentials.

Before any traffic is allowed to pass through any policies configured with username or

groups, the user must first authenticate him/her-self. The D FL-200 can either verify the user

against a local database or passes along the user information to an external authentication

server, which verifies the user and the given password, and transmits the result back to the

firewall. If the authentication is successful, the DFL.700 will remember the source IP address

of this user, and any matching policies with usernames or grou ps configured will be allowed.

Specific policies that deal with user authentication can be defined, thus leaving policies that

not require user authentication unaffected.

The DFL-200 supports the RADIUS (Remote Authentication Dial In User Service)

authentication protocol. This protocol is heavily used in many scenarios where user

authentication is required, either by itself or as a front-end to other authentication services.

The DFL-200 RADIUS Support

The DFL-200 can use RADIUS to verify users against for example Active Directory or Unix

password-file. It is possible to configure up to two servers, if the first one is down it will try the

second IP instead.

The DFL-200 can use CHAP or PAP when communicating with the RADIUS server.

CHAP (Challenge Handshake Authentication Protocol) does not allow a remote attacker to

extract the user password from an intercepted RADIUS packet. However, the passw ord must

be stored in plaintext on the RADIUS server. PAP (Password Authentication Protocol) might

be defined as the less secure of the two. If a RADIUS packet is intercepted while being

transmitted between the firewall and the RADIUS server, the user password can be extracted ,

given time. The upside to this is that the password does not have to be stored in plainte xt in

the RADIUS server.

The DFL700 uses a shared secret when connecting to the RAD IUS server. The shared

secret enables basic encryption of the user password when the RA DIUS-packet is transmitted

from the firewall to the RADIUS server. The shared secret is case sensitive, can contain up to

100 characters, and must be typed exactly the same on both the fire wall and the RADIUS

server.

Contents

Main Contents Page Page Page Page Introduction Features and Benefits Introduction to Firewalls Introduction to Local Area Networking LEDs Physical Connections Page Managing D-Link DFL-200 When a change is done to the configuration a new icon named Activate Changes Resetting the DFL-200 Administration Settings Administrative Access Add ping access to an interface Add Admin access to an interface Add Read-only access to an interface Enable SNMP access to an interface System Interfaces Change IP of the LAN or DMZ interface WAN Interface Settings Using Static IP WAN Interface Settings Using DHCP WAN Interface Settings Using PPPoE WAN Interface Settings Using PPTP WAN Interface Settings Using BigPond MTU Configuration Routing Add a new Static Route Remove a Static Route Logging Enable Logging Enable Audit Logging Enable E-mail alerting for ISD/IDP events Page Page Changing time zone Using NTP to sync time Setting time and date manually Firewall Policy Policy modes Action Types Source and Destination Filter Service Filter Schedule Intrusion Detection / Prevention Add a new policy Change order of policy Delete policy Configure Intrusion Detection Configure Intrusion Prevention Port mapping / Virtual Servers Add a new mapping Delete mapping Users The DFL-200 RADIUS Support Enable User Authentication via HTTP / HTTPS Enable RADIUS Support Add User Change User Password Delete User Schedules Add new recurring schedule Services Adding TCP, UDP or TCP/UDP Service Adding IP Protocol Grouping Services Protocol-independent settings VPN Introduction to IPSec Introduction to PPTP Introduction to L2TP Point-to-Point Protocol Authentication Protocols PAP CHAP MS-CHAP v1 L2TP/PPTP Clients L2TP/PPTP Servers Page VPN between two networks Creating a LAN-to-LAN IPSec VPN Tunnel VPN between client and an internal network Creating a Roaming Users IPSec VPN Tunnel Adding a L2TP/PPTP VPN Client Adding a L2TP/PPTP VPN Server VPN Advanced Settings Proposal Lists IKE Proposal List IPSec Proposal List Certificates Trusting Certificates Local identities Certificates of remote peers Certificate Authorities Identities Content Filtering Active content handling Edit the URL Global Whitelist Edit the URL Global Blacklist Page Servers DHCP Server Settings Enable DHCP Server Enable DHCP Relay Disable DHCP Server/Relayer DNS Relayer Settings Enable DNS Relayer Page Too ls Ping Ping Example Dynamic DNS Add Dynamic DNS Settings Backup Exporting the DFL-200s Configuration Restoring the DFL-200s Configuration Page Page Page Upgrade Upgrade Firmware Upgrade IDS Signature-database Status System Interfaces VPN Connections DHCP Server Page How to read the logs USAGE events DROP events CONN events Page Step by step guides LAN-to-LAN VPN using IPsec Page Page Page LAN-to-LAN VPN using PPTP Page Page Page Page Page Page LAN-to-LAN VPN using L2TP Page Page Page Page Page Page A more secure LAN-to-LAN VPN solution Page Page Page Windows XP client and PPTP server Settings for the Windows XP client Page Page Page Page Page Page Page Page Page Windows XP client and L2TP server Settings for the Windows XP client Page Page Page Content filtering Page Page Page Intrusion detection and prevention Page Page Appendixes Appendix A: ICMP Types and Codes Page Appendix B: Common IP Protocol Numbers LIMITED WARRANTY Product Type Warranty Period Limited Software Warranty: What You Must Do For Warranty Service: What Is Not Covered: Disclaimer of Other Warranties: Limitation of Liability: GOVERNING LAW: This Limited Warranty shall be governed by the laws of the state of California. Page Page Offices