D-Link DFL-2500 User Manual

Changing the Management WebUI Port

HTTP authentication will collide with the WebUI's remote management service which also uses
TCP port 80. To avoid this, the WebUI port number should be changed before configuring
authentication. Do this by going to Remote Management > Advanced Settings in the WebUI and
changing the setting WebUI HTTP Port. Port number 81 could instead, be used for this setting.

Agent Options

For HTTP and HTTPS authentication there is a set of options in Authentication Rules called Agent
Options. These are:

•

Login Type - This can be one of:

•

FORM - The user is presented with an HTML page for authentication which is filled in and
the data sent back to NetDefendOS with a POST. An HTML pre-defined in NetDefendOS
will be used but this can be customized as described below.

•

BASICAUTH - This sends a 401 - Authentication Required message back to the browser
which will cause it to use its own inbuilt dialog to ask the user for a username/password
combination. A Realm String can optionally be specified which will appear in the browser's
dialog.

FORM is recommended over BASICAUTH because the in some cases the browser might hold
the login data in its cache

•

If the Agent is set to HTTPS then the Host Certificate and Root Certificate have to be chosen
from a list of certificates already loaded into NetDefendOS.

Setting Up IP Rules

HTTP authentication can't operate unless a rule is added to the IP rule set to explicitly allow
authentication to take place. If we consider the example of a number of clients on the local network
lannet who would like access to the public Internet on the wan interface then the IP rule set would
contain the following rules.

Action

Src Interface

Src Network

Dest Interface Dest Network Service

1

Allow

lan

lannet

core

lan_ip

http-all

2

NAT

lan

trusted_users

wan

all-nets

http-all

3

NAT

lan

lannet

wan

all-nets

dns-all

The first rule allows the authentication process to take place and assumes the client is trying to
access the lan_ip IP address, which is the IP address of the interface on the D-Link Firewall where
the local network connects.

The second rule allows normal surfing activity but we cannot just use lannet as the source network
since the rule would trigger for any unauthenticated client from that network. Instead, the source
network is an administrator defined IP object called trusted_users which is the same network as
lannet but has additionally either the Authentication option No Defined Credentials enabled or has
an Authentication Group assigned to it (which is the same group as that assigned to the users).

The third rule allows DNS lookup of URLs.

Forcing Users to a Login Page

With this setup, when users that aren't authenticated try to surf to any IP except lan_ip they will fall
through the rules and their packets will be dropped. To always have these users come to the
authentication page we must add a SAT rule and its associated Allow rule. The rule set will now
look like this:

8.2.6. HTTP Authentication

Chapter 8. User Authentication

224