1. Home
    2. /
  2. Manuals
    3. /
  3. NETGEAR
    4. /
  4. SRX5308
    5. /
  5. 50
Page 246 / 469 Scroll up to view Page 241 - 245
Virtual Private Networking Using IPSec
and
L2TP Connections
246
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
requesting individual authentication information from the user. A local user database or an
external authentication server, such as a RADIUS server, provides a method for storing the
authentication information centrally in the local network.
You can enable XAUTH when you manually add or edit an IKE policy. Two types of XAUTH
are available:
Edge Device
.
The VPN firewall is used as a VPN concentrator on which one or more
gateway tunnels terminate. You need to specify the authentication type that should be
used during verification of the credentials of the remote VPN gateways: the user
database, RADIUS-PAP, or RADIUS-CHAP.
IPSec Host
.
Authentication by the remote gateway through a user name and password
that are associated with the IKE policy. The user name and password that are used to
authenticate the VPN firewall need to be specified on the remote gateway.
Note:
If a RADIUS-PAP server is enabled for authentication, XAUTH first
checks the local user database for the user credentials. If the user
account is not present, the VPN firewall then connects to a RADIUS
server.
Configure XAUTH for VPN Clients
Once the XAUTH has been enabled, you need to establish user accounts in the user
database to be authenticated against XAUTH, or you need to enable a RADIUS-CHAP or
RADIUS-PAP server.
Note:
You cannot modify an existing IKE policy to add XAUTH while the
IKE policy is in use by a VPN policy. The VPN policy needs to be
disabled before you can modify the IKE policy.
To enable and configure XAUTH:
1.
Select
VPN > IPSec VPN
. The IPSec VPN submenu tabs display with the IKE Policies
for IPv4 screen in view (see
Figure
158
on page
232).
2.
Specify the IP version for which you want to edit an IKE policy:
IPv4
. In the upper right of the screen, the IPv4 radio button is already selected by
default. Go to
Step
3
.
IPv6
. Select the
IPv6
radio button. The IKE Policies screen for IPv6 displays.
3.
In the List of IKE Policies table, click the
Edit
table button to the right of the IKE policy for
which you want to enable and configure XAUTH. The Edit IKE Policy screen displays. This
screen shows the same fields as the Add IKE Policy screen (see
Figure
159
on page
233).
Page 247 / 469
Virtual Private Networking Using IPSec
and
L2TP Connections
247
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
4.
In the Extended Authentication section on the screen, complete the settings as described in
the following table:
5.
Click
Apply
to save your settings.
User Database Configuration
When XAUTH is enabled in an Edge Device configuration, users need to be authenticated
either by a local user database account or by an external RADIUS server. Whether or not you
use a RADIUS server, you might want some users to be authenticated locally. These users
need to be added to the List of Users table on the Users screen, as described in
Configure
User Accounts
on page
310.
RADIUS Client and Server Configuration
Remote Authentication Dial In User Service (RADIUS, RFC 2865) is a protocol for managing
authentication, authorization, and accounting (AAA) of multiple users in a network. A
RADIUS server stores a database of user information and can validate a user at the request
of a gateway or server in the network when a user requests access to network resources.
During the establishment of a VPN connection, the VPN gateway can interrupt the process
with an XAUTH request. At that point, the remote user needs to provide authentication
information such as a user name and password or some encrypted response using the user
Table 57.
Extended authentication settings for IPv4 and IPv6
Setting
Description
Select one of the following radio buttons to specify whether Extended Authentication (XAUTH) is enabled,
and, if enabled, which device is used to verify user account information:
None
. XAUTH is disabled. This the default setting.
Edge Device
. The VPN firewall functions as a VPN concentrator on which one or more gateway
tunnels terminate. The authentication modes that are available for this configuration are User
Database, RADIUS PAP, and RADIUS CHAP.
IPSec Host
. The VPN firewall functions as a VPN client of the remote gateway. In this configuration,
the VPN firewall is authenticated by a remote gateway with a user name and password combination.
Authentication
Type
For an Edge Device configuration, from the drop-down list, select one of the following
authentication types:
User Database
. XAUTH occurs through the VPN firewall’s user database. You can
add users on the Add User screen (see
User Database Configuration
on page
247).
Radius PAP
. XAUTH occurs through RADIUS Password Authentication Protocol
(PAP). The local user database is first checked. If the user account is not present in
the local user database, the VPN firewall connects to a RADIUS server. For more
information, see
RADIUS Client and Server Configuration
on page
247.
Radius CHAP
. XAUTH occurs through RADIUS Challenge Handshake Authentication
Protocol (CHAP). For more information, see
RADIUS Client and Server Configuration
on page
247.
Username
The user name for XAUTH.
Password
The password for XAUTH.
Page 248 / 469
Virtual Private Networking Using IPSec
and
L2TP Connections
248
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
name and password information. The gateway then attempts to verify this information first
against a local user database (if RADIUS-PAP is enabled) and then by relaying the
information to a central authentication server such as a RADIUS server.
Note:
Even though you can configure RADIUS servers with IPv4
addresses only, the servers can be used for authentication,
authorization, and accounting of both IPv4 and IPv6 users.
To configure primary and backup RADIUS servers:
1.
Select
VPN > IPSec VPN > RADIUS Client
.
The RADIUS Client screen displays:
Figure 163.
2.
Complete the settings as described in the following table:
Table 58.
RADIUS Client screen settings
Setting
Description
Primary RADIUS Server
To enable and configure the primary RADIUS server, select the
Yes
radio button, and enter the settings for
the three fields to the right. The default setting is that the No radio button is selected.
Primary Server IP Address
The IPv4 address of the primary RADIUS server.
Secret Phrase
A shared secret phrase to authenticate the transactions between the client
and the primary RADIUS server. The same secret phrase needs to be
configured on both the client and the server.
Page 249 / 469
Virtual Private Networking Using IPSec
and
L2TP Connections
249
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
3.
Click
Apply
to save your settings.
Note:
You can select the RADIUS authentication protocol (PAP or CHAP)
on the Edit IKE Policy screen or Add IKE Policy screen (see
Configure XAUTH for VPN Clients
on page
246).
Primary Server NAS
Identifier
The primary Network Access Server (NAS) identifier that needs to be present
in a RADIUS request.
Note:
The VPN firewall functions as an NAS, allowing network access to
external users after verification of their authentication information. In a
RADIUS transaction, the NAS needs to provide some NAS identifier
information to the RADIUS server. Depending on the configuration of the
RADIUS server, the VPN firewall’s IP address might be sufficient as an
identifier, or the server might require a name, which you need to enter in this
field.
Backup RADIUS Server
To enable and configure the backup RADIUS server, select the
Yes
radio button, and enter the settings for
the three fields to the right. The default setting is that the No radio button is selected.
Backup Server IP Address
The IPv4 address of the backup RADIUS server.
Secret Phrase
A shared secret phrase to authenticate the transactions between the client
and the backup RADIUS server. The same secret phrase needs to be
configured on both the client and the server.
Backup Server NAS
Identifier
The backup Network Access Server (NAS) identifier that needs to be present
in a RADIUS request.
Note:
See the note earlier in this table for the Primary Server NAS Identifier.
Connection Configuration
Time out period
The period in seconds that the VPN firewall waits for a response from a
RADIUS server. The default setting is 30 seconds.
Maximum Retry Counts
The maximum number of times that the VPN firewall attempts to connect to a
RADIUS server. The default setting is 4 retry counts.
Table 58.
RADIUS Client screen settings (continued)
Setting
Description
Page 250 / 469
Virtual Private Networking Using IPSec
and
L2TP Connections
250
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
Assign IPv4 Addresses to Remote Users (Mode Config)
Mode Config Operation
Configure Mode Config Operation on the VPN Firewall
Configure the ProSafe VPN Client for Mode Config Operation
Test the Mode Config Connection
Modify or Delete a Mode Config Record
To simplify the process of connecting remote VPN clients to the VPN firewall, use the Mode
Config feature to automatically assign IPv4 addresses to remote users, including a network
access IP address, subnet mask, WINS server, and DNS address. Remote users are given
IP addresses available in a secured network space so that remote users appear as seamless
extensions of the network.
You can use the Mode Config feature in combination with an IPv6 IKE policy to assign IPv4
addresses to clients, but you cannot assign IPv6 addresses to clients.
Mode Config Operation
After the IKE Phase 1 negotiation is complete, the VPN connection initiator (which is the
remote user with a VPN client) requests the IP configuration settings such as the IP address,
subnet mask, WINS server, and DNS address from the VPN firewall. The Mode Config
feature allocates an IP address from the configured IP address pool and activates a
temporary IPSec policy, using the information that is specified in the Traffic Tunnel Security
Level section of the Mode Config record (on the Add Mode Config Record screen that is
shown in
Figure
165
on page
251).
Note:
After configuring a Mode Config record, you need to manually
configure an IKE policy and select the newly created Mode Config
record from the Select Mode Config Record drop-down list (see
Configure Mode Config Operation on the VPN Firewall
on
page
250). You do not need to change any VPN policy.
Note:
An IP address that is allocated to a VPN client is released only after
the VPN client has gracefully disconnected or after the SA liftetime
for the connection has timed out.
Configure Mode Config Operation on the VPN Firewall
To configure Mode Config on the VPN firewall, first create a Mode Config record, and then
select the Mode Config record for an IKE policy.

Rate

124.8 / 5 based on 304 votes.

Popular NETGEAR Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top