NETGEAR SRX5308 Router Manual PDF (Setup & Configuration Guide)

Page 301 / 469 Scroll up to view Page 296 - 300

301

7

7.

Manage Users, Authentication, and

VPN

Certificates

This chapter describes how to manage users, authentication, and security certificates for IPSec

VPN and SSL VPN. The chapter contains the following sections:

•

The VPN Firewall’s Authentication Process and Options

•

Configure Authentication Domains, Groups, and Users

•

Manage Digital Certificates for VPN Connections

Page 302 / 469

Manage Users, Authentication, and VPN

Certificates

302

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

The VPN Firewall’s Authentication Process and

Options

Users are assigned to a group, and a group is assigned to a domain. Therefore, you should

first create any domains, then groups, then user accounts.

Note:

Do not confuse the authentication groups with the LAN groups that

are described in

Manage IPv4 Groups and Hosts (IPv4 LAN Groups)

on page

96.

You need to create name and password accounts for all users who need to be able to

connect to the VPN firewall. This includes administrators, guests, and SSL VPN clients.

Accounts for IPSec VPN clients are required only if you have enabled extended

authentication (XAUTH) in your IPSec VPN configuration.

Users connecting to the VPN firewall need to be authenticated before being allowed to

access the VPN firewall or the VPN-protected network. The login screen that is presented to

the user requires three items: a user name, a password, and a domain selection. The domain

determines the authentication method that is used and, for SSL connections, the portal layout

that is presented.

Note:

IPSec VPN, L2TP, and PPTP users do not belong to a domain and

are not assigned to a group.

Except in the case of IPSec VPN users, when you create a user account, you need to specify

a group. When you create a group, you need to specify a domain.

The following table summarizes the external authentication protocols and methods that the

VPN firewall supports.

Table 75.

External authentication protocols and methods

Authentication

Protocol or Method

Description

PAP

Password Authentication Protocol (PAP) is a simple protocol in which the client sends a

password in clear text.

CHAP

Challenge Handshake Authentication Protocol (CHAP) executes a three-way handshake

in which the client and server trade challenge messages, each responding with a hash of

the other’s challenge message that is calculated using a shared secret value.

RADIUS

A network-validated PAP or CHAP password-based authentication method that functions

with Remote Authentication Dial In User Service (RADIUS).

Page 303 / 469

Manage Users, Authentication, and VPN

Certificates

303

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

Configure Authentication Domains, Groups, and Users

•

Configure Domains

•

Configure Groups

•

Configure User Accounts

•

Set User Login Policies

•

Change Passwords and Other User Settings

Configure Domains

The domain determines the authentication method to be used for associated users. For SSL

connections, the domain also determines the portal layout that is presented, which in turn

determines the network resources to which the associated users have access. The default

domain of the VPN firewall is named geardomain. You cannot delete the default domain.

MIAS

A network-validated PAP or CHAP password-based authentication method that functions

with Microsoft Internet Authentication Service (MIAS), which is a component of Microsoft

Windows 2003 Server.

WiKID

WiKID Systems is a PAP or CHAP key-based two-factor authentication method that

functions with public key cryptography. The client sends an encrypted PIN to the WiKID

server and receives a one-time passcode with a short expiration period. The client logs in

with the passcode. See

Appendix D, Two-Factor Authentication

, for more on WiKID

authentication.

NT Domain

A network-validated domain-based authentication method that functions with a Microsoft

Windows NT Domain authentication server. This authentication method has been

superseded by Microsoft Active Directory authentication but is supported to authenticate

legacy Windows clients.

Active Directory

A network-validated domain-based authentication method that functions with a Microsoft

Active Directory authentication server. Microsoft Active Directory authentication servers

support a group and user structure. Because the Active Directory supports a multilevel

hierarchy (for example, groups or organizational units), this information can be queried to

provide specific group policies or bookmarks based on Active Directory attributes.

Note:

A Microsoft Active Directory database uses an LDAP organization schema.

LDAP

A network-validated domain-based authentication method that functions with a

Lightweight Directory Access Protocol (LDAP) authentication server. LDAP is a standard

for querying and updating a directory. Because LDAP supports a multilevel hierarchy (for

example, groups or organizational units), this information can be queried to provide

specific group policies or bookmarks based on LDAP attributes.

Table 75.

External authentication protocols and methods (continued)

Authentication

Protocol or Method

Description

Page 304 / 469

Manage Users, Authentication, and VPN

Certificates

304

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

Create Domains



To create a domain:

1.

Select

Users > Domains

. The Domains screen displays. (The following figure shows

the VPN firewall’s default domain—geardomain—and, as an example, other domains in

the List of Domains table.)

Figure 201.

The List of Domains table displays the domains with the following fields:

•

Check box

.

Allows you to select the domain in the table.

•

Domain Name

. The name of the domain. The name of the default domain

(geardomain) to which the default SSL-VPN portal is assigned is appended by an

asterisk.

•

Authentication Type

. The authentication method that is assigned to the domain.

•

Portal Layout Name

. The SSL portal layout that is assigned to the domain.

•

Action

. The Edit table button, which provides access to the Edit Domain screen.

2.

Under the List of Domains table, click the

Add

table button. The Add Domain screen

displays:

Page 305 / 469

Manage Users, Authentication, and VPN

Certificates

305

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

Figure 202.

3.

Complete the settings as described in the following table:

Table 76.

Add Domain screen settings

Setting

Description

Domain Name

A descriptive (alphanumeric) name of the domain for identification and

management purposes.

Authentication Type

Note:

If you select

any type of RADIUS

authentication, make

sure that one or more

RADIUS servers are

configured (see

RADIUS Client and

Server Configuration

on page

247).

From the drop-down list, select the authentication method that the VPN firewall

applies:

•

Local User Database (default)

. Users are authenticated locally on the VPN

firewall. This is the default setting. You do not need to complete any other

fields on this screen.

•

Radius-PAP

. RADIUS Password Authentication Protocol (PAP). Complete the

following fields:

-

Authentication Server

-

Authentication Secret

•

Radius-CHAP

. RADIUS Challenge Handshake Authentication Protocol

(CHAP). Complete the following fields:

-

Authentication Server

-

Authentication Secret

•

Radius-MSCHAP

. RADIUS Microsoft CHAP. Complete the following fields:

-

Authentication Server

-

Authentication Secret

•

Radius-MSCHAPv2

. RADIUS Microsoft CHAP version 2. Complete the

following fields:

-

Authentication Server

-

Authentication Secret

•

WIKID-PAP

. WiKID Systems PAP. Complete the following fields:

-

Authentication Server

-

Authentication Secret

•

WIKID-CHAP

. WiKID Systems CHAP. Complete the following fields:

-

Authentication Server

-

Authentication Secret

Rate

Popular NETGEAR Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share