8.3. ARP Authentication
ARP authentication (sometimes referred to as MAC authentication) is authentication based on the
MAC address of a connecting client's Ethernet interface. This is useful if the administrator wants
to ensure that access is simple for a particular device and the user will not be required to type in
their credentials. NetDefendOS sends the MAC address of the connecting client to a RADIUS or
LDAP server which looks the address up in its database and tells NetDefendOS if the client is
authenticated or not. (Using a local database with ARP authentication is not supported.)
ARP authentication can be configured in one of two ways:
• For HTTP or HTTPS traffic only
In an authentication rule with the Authentication agent set to HTTP or HTTPS, set the Login
type under Agent Options to be MAC authentication.
• For any type of traffic using ARP Cache
Set the User Agent of the authentication rule to be ARPCache and set the Authentication
Source to be RADIUS or LDAP.
Unlike the previous method, this can be used for any traffic but has the disadvantage of
requiring further steps which are explained next.
Note that if the Authentication Source is set to Allow, all users will be automatically
authenticated without reference to a database. The only advantage to doing this is that the
administrator can easily see a list of logged in users by going to: Status > Run-time
Information > User Authentication in the Web Interface.
Other Steps with the ARP Cache Method
When using the ARP Cache method, there are some other configuration steps that the
administrator must take so that the NetDefendOS ARP cache contains the data needed for
successful authentication:
• There must be a second IP rule below the Allow or NAT IP rule that has action of Reject. This
ensures that clients that are not yet authenticated will still have their MAC addresses placed
into the ARP cache. If the second rule is not present, authentication will not work.
• The time between ARP cache refreshes should be adjusted downwards so that should a
connection be broken, for instance by an idle timeout, the cache is updated within a
reasonable time. This is done by reducing the ARP advanced setting ARP expire.
If a connection idle timeout occurs then the affected client will not be able to login again
until the cache is updated. An acceptable value for the ARP expire setting needs to be
determined based on the size of the network. A large network may need a higher value. The
ARP expire setting must be lower than the connection timeout setting.
Sending the MAC Address to a Server
In both the above methods of ARP authentication, NetDefendOS will use a RADIUS or LDAP
server to authenticate the client. NetDefendOS will always send the MAC address itself as the
username when communicating with the server.
By default, the password sent to the server is also the client's MAC address. However, this can be
changed to a specific password by setting the MAC Auth Secret property of the authentication
rule object.
Chapter 8: User Authentication
633
To Next Page
Loading...
