With this setup, when users that are not authenticated try to surf to any IP except lan_ip they will
fall through the rules and their packets will be dropped. To always have these users come to the
authentication page, a SAT rule and its associated Allow rule must be added. The rule set will now
look like this:
# Action Src Interface Src Network Dest Interface Dest Network Service
1 Allow lan lannet core lan_ip http-all
2 NAT lan trusted_users wan all-nets http-all
3 NAT lan lannet wan all-nets dns-all
4 SAT lan lannet wan all-nets
all-to-one
127.0.0.1
http-all
5 Allow lan lannet wan all-nets http-all
The SAT rule catches all unauthenticated requests and must be set up with an all-to-one address
mapping that directs them to the address 127.0.0.1 which corresponds to core (NetDefendOS
itself).
Example 8.4. User Authentication Setup for Web Access
The configurations below shows how to enable HTTP user authentication for the user group
lan_group on lannet. Only users that belong to the group users can get Web browsing service
after authentication, as it is defined in the IP rule.
It is assumed that the authentication IPv4 address object lan_users_net has been defined and this
has its Groups property set to lan_group. The group lan_group has been used as the Groups
property of individual users in the lan_users database.
Web Interface
A. Set up an IP rule to allow HTTP authentication.
1. Go to: Policies > Firewalling > Main IP Rules > Add > IP Rule
2. Now enter:
• Name: http_auth
• Action: Allow
• Service: http-all
• Source Interface: lan
• Source Network: lannet
• Destination Interface core
• Destination Network lan_ip
3. Click OK
B. Set up an Authentication Rule
1. Go to: Policies > User Authentication > Authentication Rules > Add > User
Authentication Rule
Chapter 8: User Authentication
629
To Next Page
Loading...
