36

Administrative users

Click on

Firewall

in the menu bar, and then click

Users

below it. This will show all the

users, and the first section is the administrative users.

The first column show the access levels,

Administrator

and

Read-only

. An

Administrator

user can add, edit and remove rules, change settings of the DFL-700 and so on. The

Read-

only

user can only look at the configuration. The second column shows the users in each

access level.

Add Administrative User

Follow these steps to add a new

administrative user.

Step 1.

Click on

add

after the type

of user you would like to add,

Admin or Read-only.

Step 2.

Fill in

User name;

make

sure you are not trying to add one

that already exists.

Step 3.

Specify the password for the new user.

Click the

Apply

button below to apply the setting or click Cancel to discard changes.

Note:

The user name and password should be at least six characters long. The user

name and password can contain numbers (0-9) and upper and lower case letters (A-Z, a-

z). Special characters and spaces are not allowed.

Change Administrative User Access level

To change the access lever of a user click on the user name and you will see the following

screen. From here you can change the

access

level

by

choosing

the

appropriate level from the drop-down

menu.

Access levels

•

Administrator

– the user

can add, edit and remove

rules and change all

settings.

•

Read-only

– the user can

only look at the

configuration of the firewall.

•

No Admin Access

– The user is only used for user authentication.

Follow these steps to change Administrative User Access level.

Step 1.

Click on the user you would like to change level of.

Step 2.

Choose the appropriate level from the drop-down menu.

Click the

Apply

button below to apply the setting or click Cancel to discard changes.

Change Administrative User Password

To change the password of a user click on the user name and you will see the following

screen.

Follow these steps to change

Administrative User password.

Step 1.

Click on the user you would

like to change level of.

Step 2.

Enable the

Change

password

checkbox.

Step 3.

Enter the new password

twice.

Click the

Apply

button below to apply the setting or click Cancel to discard changes.

Note

:

The password should be at least six characters long. The password can contain

numbers (0-9) and upper and lower case letters (A-Z, a-z). Special characters and spaces

are not allowed.

38

Delete Administrative User

To delete a user click on the user name and you will see the following screen.

Follow these steps to delete an

Administrative User.

Step 1.

Click on the user you would

like to change level of.

Step 2.

Enable the

Delete user

checkbox.

Click the

Apply

button below to

apply the setting or click Cancel to

discard changes.

Note:

Deleting a user is

irreversible; once the user is deleted, it cannot be

undeleted.

Users

User Authentication allows an administrator to grant or reject access to specific users from

specific IP addresses, based on their user credentials.

Before any traffic is allowed to pass through any policies configured with username or

groups, the user must first authenticate him/her-self. The DFL-700 can either verify the user

against a local database or passes along the user information to an external authentication

server, which verifies the user and the given password, and transmits the result back to the

firewall. If the authentication is successful, the DFL.700 will remember the source IP address

of this user, and any matching policies with usernames or groups configured will be allowed.

Specific policies that deal with user authentication can be defined, thus leaving policies that

not require user authentication unaffected.

The DFL-700 supports the RADIUS (Remote Authentication Dial In User Service)

authentication protocol. This protocol is heavily used in many scenarios where user

authentication is required, either by itself or as a front-end to other authentication services.

The DFL-700 RADIUS Support

The DFL-700 can use RADIUS to verify users against for example Active Directory or Unix

password-file. It is possible to configure up to two servers, if the first one is down it will try the

second IP instead.

The DFL-700 can use CHAP or PAP when communicating with the RADIUS server.

CHAP

(Challenge Handshake Authentication Protocol) does not allow a remote attacker to

extract the user password from an intercepted RADIUS packet. However, the password must

be stored in plaintext on the RADIUS server.

PAP

(Password Authentication Protocol) might

be defined as the less secure of the two. If a RADIUS packet is intercepted while being

transmitted between the firewall and the RADIUS server, the user password can be extracted,

given time. The upside to this is that the password does not have to be stored in plaintext in

the RADIUS server.

The DFL700 uses a shared secret when connecting to the RADIUS server. The shared

secret enables basic encryption of the user password when the RADIUS-packet is transmitted

from the firewall to the RADIUS server. The shared secret is case sensitive, can contain up to

100 characters, and must be typed exactly the same on both the firewall and the RADIUS

server.

40

Enable User Authentication via HTTP / HTTPS

Follow these steps to enable User

Authentication.

Step 1.

Enable the checkbox for User

Authentication.

Step 2.

Specify if HTTP and HTTPS or

only HTTPS should be used for the login.

Step 3.

Specify the idle-timeout, the time

a user can be idle before being logged out by the firewall.

Step 4.

Choose new ports for the management WebUI to listen on as the user

authentication will use the same ports as the management WebUI is using..

Click the

Apply

button below to apply the setting or click

Cancel

to discard changes.

Enable RADIUS Support

Follow these steps to enable RADIUS

support.

Step 1.

Enable the checkbox for

RADIUS Support.

Step 2.

Fill in up to two RADIUS servers.

Step 3.

Specified which mode to use, PAP or CHAP.

Step 3.

Specify the shared secret for this connection.

Click the

Apply

button below to apply the setting or click

Cancel

to discard changes.