Page 126 / 240 Scroll up to view Page 121 - 125
ProSafe VPN Firewall 200 FVX538 Reference Manual
5-22
Virtual Private Networking
v1.0, March 2009
6.
Copy the contents of the
Data to supply to CA
text box into a file, including all of the data
contained in “----BEGIN CERTIFICATE REQUEST---” and “---END CERTIFICATE
REQUEST---”Click
Done.
You will return to the Certificate screen and your Request details
will be displayed in the
Self Certificates Requests
table showing a Status of “Waiting for
Certificate upload”
To submit your Certificate request to a CA:
1.
Connect to the Website of the CA.
2.
Start the Self Certificate request procedure.
3.
When prompted for the requested data, copy the data from your saved data file (including “---
-BEGIN CERTIFICATE REQUEST---” and “---END CERTIFICATE REQUEST’).
4.
Submit the CA form. If no problems ensue, the Certificate will be issued.
Uploading a Trusted Certificate
After obtaining a new Certificate from the CA, you must upload the certificate to this device and
add it to your Trusted Certificates:
To upload your new certificate:
1.
From the main menu, under
VPN
, select
Certificates
. The Certificates screen will display.
Scroll down to the
Self Certificate Requests
section.
2.
Click
Browse
, and locate the certificate file on your PC. Select the file name in the “File to
upload” field and click
Upload
. The certificate file will be uploaded to this device.
3.
Scroll back to the
Active Self Certificates
table. The new Certificate will appear in the
Active
Self Certificates
list.
Certificates are updated by their issuing CA authority on a regular basis. You should track all of
your CAs to ensure that you have the latest version and/or that your certificate has not been
revoked. To track your CAs, you must upload the Certificate Identify for each CA to the CRL.
Managing your Certificate Revocation List (CRL)
CRL (Certificate Revocation List) files show Certificates which are active and certificates which
have been revoked, and are no longer valid. Each CA issues their own CRLs.
It is important that you keep your CRLs up-to-date. You should obtain the CRL for each CA
regularly.
The CRL table lists your active CAs and their critical release dates:
Page 127 / 240
ProSafe VPN Firewall 200 FVX538 Reference Manual
Virtual Private Networking
5-23
v1.0, March 2009
CA Identify – The official name of the CA which issued this CRL.
Last Update – The date when this CRL was released.
Next Update – The date when the next CRL will be released.
To upload a Certificate Identify to the CRL:
1.
From the main menu under VPN, select
Certificates
. The
Certificates
screen will display
showing the CRL (Certificate Revocation List) table at the bottom of the screen.
2.
Click
Browse
, and then locate the file you previously downloaded from a CA.
3.
Select the Certificate Identify file. The name will appear in the “File to upload” field. Click
Upload.
Click
Back
to return to the CRL list. The new Certificate Identify will appear in the CRL Table. If
you have a previous CA Identity from the same CA, it should now be deleted.
Extended Authentication (XAUTH) Configuration
When connecting many VPN clients to a VPN gateway router, an administrator may want a unique
user authentication method beyond relying on a single common preshared key for all clients.
Although the administrator could configure a unique VPN policy for each user, it is more
convenient for the VPN gateway router to authenticate users from a stored list of user accounts.
XAUTH provides the mechanism for requesting individual authentication information from the
user, and a local User Database or an external authentication server, such as a RADIUS server,
provides a method for storing the authentication information centrally in the local network.
XAUTH is enabled when adding or editing an IKE Policy. Two types of XAUTH are available:
Edge Device.
If this is selected, the router is used as a VPN concentrator where one or more
gateway tunnels terminate. If this option is chosen, you must specify the authentication type to
be used in verifying credentials of the remote VPN gateways: User Database, RADIUS-PAP,
or RADIUS-CHAP.
Figure 5-21
Page 128 / 240
ProSafe VPN Firewall 200 FVX538 Reference Manual
5-24
Virtual Private Networking
v1.0, March 2009
IPSec Host.
If you want authentication by the remote gateway, enter a User Name and
Password to be associated with this IKE policy. If this option is chosen, the remote gateway
must specify the user name and password used for authenticating this gateway.
Configuring XAUTH for VPN Clients
Once the XAUTH has been enabled, you must establish user accounts on the Local Database to be
authenticated against XAUTH, or you must enable a RADIUS-CHAP or RADIUS-PAP server.
To enable and configure XAUTH:
1.
Select
VPN
from the main menu and
Policies
from the submenu. The
IKE Policies
screen will
display.
2.
You can add
XAUTH
to an existing IKE Policy by clicking
Edit
adjacent to the policy to be
modified or you can create a new IKE Policy incorporating
XAUTH
by clicking
Add.
3.
In the
Extended Authentication
section check the
Edge Device
radio box to use this router as
a VPN concentrator where one or more gateway tunnels terminate. You then must specify the
authentication type to be used in verifying credentials of the remote VPN gateways. (Either the
User Database or RADIUS Client must be configured when XAUTH is enabled.)
4.
In the
Extended Authentication
section, select the
Authentication Type
from the pull-down
menu which will be used to verify user account information. Select
Edge Device
to use this router as a VPN concentrator where one or more gateway tunnels
terminate. When this option is chosen, you will need to specify the authentication type to
be used in verifying credentials of the remote VPN gateways.
User Database
to verify against the router’s user database. Users must be added
through the User Database screen (see
“User Database Configuration” on page 5-25
).
Note:
If a RADIUS-PAP server is enabled for authentication, XAUTH will first check the
local User Database for the user credentials. If the user account is not present, the
router will then connect to a RADIUS server.
Note:
If you are modifying an existing IKE Policy to add
XAUTH
, if it is in use by a
VPN Policy, the VPN policy must be disabled before you can modify the IKE
Policy.
Page 129 / 240
ProSafe VPN Firewall 200 FVX538 Reference Manual
Virtual Private Networking
5-25
v1.0, March 2009
RADIUS–CHAP
or
RADIUS–PAP
(depending on the authentication mode accepted
by the RADIUS server) to add a RADIUS server. If RADIUS–PAP is selected, the
router will first check in the User Database to see if the user credentials are available.
If the user account is not present, the router will then connect to the RADIUS server
(see
“RADIUS Client Configuration” on page 5-27
).
IPSec Host
if you want to be authenticated by the remote gateway. In the adjacent
Username
and
Password
fields, type in the information user name and password
associated with the IKE policy for authenticating this gateway (by the remote gateway).
5.
Click
Apply
to save your settings.
User Database Configuration
The
User Database
screen is used to configure and administer users when Extended
Authentication is enabled as an Edge Device. Whether or not you use an external RADIUS server,
you may want some users to be authenticated locally. These users must be added to the
User
Database Configured Users
table.
To add a new user:
1.
Select
VPN
from the main menu and
VPN Client
from the submenu. The
User Database
screen will display.
2.
Enter a
User Name
. This is the unique ID of a user which will be added to the User Name
database.
Figure 5-22
Page 130 / 240
ProSafe VPN Firewall 200 FVX538 Reference Manual
5-26
Virtual Private Networking
v1.0, March 2009
3.
Enter a
Password
for the user, and reenter the password in the
Confirm Password
field.
4.
Click
Add.
The User Name will be added to the Configured Users table.
Figure 5-23

Rate

4 / 5 based on 1 vote.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top