1. Home
    2. /
  2. Manuals
    3. /
  3. NETGEAR
    4. /
  4. FVS338
    5. /
  5. 23
Page 111 / 178 Scroll up to view Page 106 - 110
FVS338 ProSafe VPN Firewall 50 Reference Manual
Virtual Private Networking
5-21
v1.0, September 2006
.
Configuring XAUTH for VPN Clients
Once the XAUTH has been enabled, you must establish user accounts on the Local Database to be
authenticated against XAUTH, or you must enable a RADIUS-CHAP or RADIUS-PAP server.
To enable and configure XAUTH:
1.
Select
VPN
from the main menu and
Policies
from the submenu. The
IKE Policies
screen will
display.
2.
You can either modify an existing IKE Policy by clicking
Edit
adjacent to the policy, or create
a new IKE Policy by clicking
Add.
3.
In the
Extended Authentication
section, select the
Authentication Type
from the pull-down
menu which will be used to verify user account information. Select
Edge Device
to use this router as a VPN concentrator where one or more gateway tunnels
terminate. When this option is chosen, you will need to specify the authentication type to
be used in verifying credentials of the remote VPN gateways.
User Database
to verify against the router’s user database. Users must be added
through the User Database screen (see
“User Database Configuration” on page 5-22
).
RADIUS–CHAP
or
RADIUS–PAP
(depending on the authentication mode accepted
by the RADIUS server) to add a RADIUS server. If RADIS–PAP is selected, the
router will first check in the User Database to see if the user credentials are available.
If the user account is not present, the router will then connect to the RADIUS server
(see
“RADIUS Client Configuration” on page 5-23
).
Note:
If a RADIUS-PAP server is enabled for authentication, XAUTH will first check the
local User Database for the user credentials. If the user account is not present, the
router will then connect to a RADIUS server.
Note:
If you are modifying an existing IKE Policy to add
XAUTH
, if it is in use by a
VPN Policy, the VPN policy must be disabled before you can modify the IKE
Policy.
Note:
If the IKE policy is in use by a VPN Policy, you must either disable or delete
the VPN policy before making changes to the IKE Policy.
Page 112 / 178
FVS338 ProSafe VPN Firewall 50 Reference Manual
5-22
Virtual Private Networking
v1.0, September 2006
IPSec Host
if you want to be authenticated by the remote gateway. In the adjacent
Username
and
Password
fields, type in the information user name and password
associated with the IKE policy for authenticating this gateway (by the remote gateway).
4.
Click
Apply
to save your settings.
User Database Configuration
The User Database Screen is used to configure and administer VPN Client users for use by the
XAUTH server. Whether or not you use an external RADIUS server, you may want to have some
users authenticated locally. These users must be added to the
User Database
Configured Users
table.
To add a new user:
1.
Select
VPN
from the main menu and
VPN Client
from the submenu. The
User Database
screen will display.
2.
Enter a
User Name
. This is the unique ID of a user which will be used in the User Name field
of the VPN client.
Figure 5-16
Page 113 / 178
FVS338 ProSafe VPN Firewall 50 Reference Manual
Virtual Private Networking
5-23
v1.0, September 2006
3.
Enter a
Password
for the user, and reenter the password in the
Confirm Password
field.
4.
Click
Add.
The User Name will be added to the Configured Hosts table.
To edit the user name or password:
1.
Click
Edit
opposite the user’s name. The
Edit User
screen will display.
2.
Make the required changes to the User Name or Password and click
Apply
to save your
settings or
Reset
to cancel your changes and return to the previous settings
.
The modified user
name and password will display in the Configured Users table.
RADIUS Client Configuration
RADIUS (Remote Authentication Dial In User Service, RFC 2865) is a protocol for managing
Authentication, Authorization and Accounting (AAA) of multiple users in a network. A RADIUS
server will store a database of user information, and can validate a user at the request of a gateway
or server in the network when a user requests access to network resources. During the
establishment of a VPN connection, the VPN gateway can interrupt the process with an XAUTH
(eXtended AUTHentication) request. At that point, the remote user must provide authentication
Figure 5-17
Page 114 / 178
FVS338 ProSafe VPN Firewall 50 Reference Manual
5-24
Virtual Private Networking
v1.0, September 2006
information such as a username/password or some encrypted response using his username/
password information. The gateway will try and verify this information first against a local User
Database (if RADIUS-PAP is enabled) and then by relaying the information to a central
authentication server such as a RADIUS server.
To configure the Primary RADIUS Server:
1.
Select
VPN
from the main menu,
VPN Client
from the submenu and then select the
RADIUS
Client
tab. The
RADIUS Client
screen will display.
2.
Enable the Primary RADIUS server by checking the
Yes
radio box.
3.
Enter the Primary
RADIUS Server IP address
.
4.
Enter a
Secret Phrase
. Transactions between the client and the RADIUS server are
authenticated using a shared secret phrase, so the same Secret Phrase must be configured on
both client and server.
5.
Enter the
Primary Server NAS Identifier
(Network Access Server). This Identifier MUST be
present in a RADIUS request. Ensure that NAS Identifier is configured as the same on both
client and server.
The FVS338 is acting as a NAS (Network Access Server), allowing network access to external
users after verifying their authentication information. In a RADIUS transaction, the NAS must
provide some NAS Identifier information to the RADIUS Server. Depending on the
configuration of the RADIUS Server, the router's IP address may be sufficient as an identifier,
or the Server may require a name, which you would enter here. This name would also be
configured on the RADIUS Server, although in some cases it should be left blank on the
RADIUS Server.
6.
Enable a Backup RADIUS Server (if required) by following steps 2 through 5.
7.
Set the
Time Out Period
, in seconds, that the router should wait for a response from the
RADIUS server.
8.
Set the
Maximum Retry Count.
This is the number of tries the router will make to the
RADIUS server before giving up.
9.
Click
Reset
to cancel any changes and revert to the previous settings.
10.
Click
Apply
to save the settings.
Note:
The Authentication Protocol, usually PAP or CHAP, is configured in the
XAUTH section of the VPN Client screen.
Page 115 / 178
FVS338 ProSafe VPN Firewall 50 Reference Manual
Virtual Private Networking
5-25
v1.0, September 2006
Manually Assigning IP Addresses to Remote Users
(ModeConfig)
To simply the process of connecting remote VPN clients to the FVS338, the ModeConfig module
can be used to assign IP addresses to remote users, including a network access IP address, subnet
mask, and name server addresses from the router. Remote users are given IP addresses available in
secured network space so that remote users appear as seamless extensions of the network.
In the following example, we configured the VPN firewall using ModeConfig, and then
configured a PC running ProSafe VPN Client software using these IP addresses.
NETGEAR ProSafe VPN Firewall 50
WAN IP address: 172.21.4.1
LAN IP address/subnet: 192.168.2.1/255.255.255.0
NETGEAR ProSafe VPN Client software IP address: 192.168.1.2
Figure 5-18

Rate

3.5 / 5 based on 2 votes.

Popular NETGEAR Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top