1. Home
    2. /
  2. Manuals
    3. /
  3. NETGEAR
    4. /
  4. SRXN3205
    5. /
  5. 26
Page 126 / 218 Scroll up to view Page 121 - 125
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual
6-24
Virtual Private Networking Using IPsec
v1.0, October 2008
RADIUS–CHAP
or
RADIUS–PAP
(depending on the authentication mode accepted
by the RADIUS server) to add a RADIUS server. If RADIUS–PAP is selected, the
firewall will first check in the user database to see if the user credentials are available.
If the user account is not present, the firewall will then connect to the RADIUS server
(see
“RADIUS Client Configuration” on page 6-24
).
IPsec Host
if you want to be authenticated by the remote gateway. In the adjacent
Username
and
Password
fields, type in the information user name and password
associated with the IKE policy for authenticating this gateway (by the remote gateway).
6.
Click
Apply
to save your settings.
User Database Configuration
When XAUTH is enabled as an Edge Device, users must be authenticated either by a local User
Database account or by an external RADIUS server. Whether or not you use a RADIUS server,
you may want some users to be authenticated locally. These users must be added to the List of
Users table, as described in
“Creating a New User Account” on page 8-4
.
RADIUS Client Configuration
RADIUS (Remote Authentication Dial In User Service, RFC 2865) is a protocol for managing
Authentication, Authorization, and Accounting (AAA) of multiple users in a network. A RADIUS
server will store a database of user information, and can validate a user at the request of a gateway
or server in the network when a user requests access to network resources. During the
establishment of a VPN connection, the VPN gateway can interrupt the process with an XAUTH
request. At that point, the remote user must provide authentication information such as a
username/password or some encrypted response using his username/password information. The
gateway will try to verify this information, first against a local User Database (if RADIUS-PAP is
enabled) and then by relaying the information to a central authentication server such as a RADIUS
server.
To configure the Primary RADIUS Server:
1.
Select
VPN > IPsec VPN
from the main/submenu.
2.
Click the
RADIUS Client
tab and the RADIUS Client screen displays.
Page 127 / 218
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual
Virtual Private Networking Using IPsec
6-25
v1.0, October 2008
3.
To activate (enable) the Primary RADIUS server, click the
Yes
radio button. The primary
server options become active.
4.
Configure the following entries:
Primary RADIUS Server IP address
. The IP address of the RADIUS server.
Secret Phrase
. Transactions between the client and the RADIUS server are authenticated
using a shared secret phrase, so the same Secret Phrase must be configured on both client
and server.
Primary Server NAS Identifier
(Network Access Server). This Identifier MUST be
present in a RADIUS request. Ensure the NAS Identifier is configured identically on both
client and server.
The SRXN3205 is acting as a NAS (Network Access Server), allowing network access to
external users after verifying their authentication information. In a RADIUS transaction,
the NAS must provide some NAS Identifier information to the RADIUS Server.
Depending on the configuration of the RADIUS Server, the SRXN3205’s IP address may
be sufficient as an identifier, or the server may require a name, which you would enter
here. This name would also be configured on the RADIUS server, although in some cases
it should be left blank on the RADIUS server.
5.
Enable a Backup RADIUS Server (if required).
6.
Set the
Time Out Period
, in seconds, that the firewall should wait for a response from the
RADIUS server.
7.
Set the
Maximum Retry Count.
This is the number of tries the firewall will make to the
RADIUS server before giving up.
Figure 6-13
Page 128 / 218
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual
6-26
Virtual Private Networking Using IPsec
v1.0, October 2008
8.
Click
Apply
to save the settings.
Note:
Selection of the Authentication Protocol, usually PAP or CHAP, is configured
on the individual IKE policy screens.
Page 129 / 218
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual
Virtual Private Networking Using SSL
7-1
v1.0, October 2008
Chapter 7
Virtual Private Networking
Using SSL
The SRXN3205 ProSafe Wireless-N VPN Firewall provides a hardware-based SSL VPN solution
designed specifically to provide remote access for mobile users to their corporate resources,
bypassing the need for a pre-installed VPN client on their computers. Using the familiar Secure
Sockets Layer (SSL) protocol, commonly used for e-commerce transactions, the SRXN3205 can
authenticate itself to an SSL-enabled client, such as a standard web browser. Once the
authentication and negotiation of encryption information is completed, the server and client can
establish an encrypted connection. With support for 10 concurrent sessions, users can easily access
the remote network for a customizable, secure, user portal experience from virtually any available
platform.
This chapter contains the following sections:
“Understanding the Portal Options”
“Planning for SSL VPN”
“Creating the Portal Layout”
“Configuring Domains, Groups, and Users”
“Configuring Applications for Port Forwarding”
“Configuring the SSL VPN Client”
“Using Network Resource Objects to Simplify Policies”
“Configuring User, Group, and Global Policies”
Understanding the Portal Options
The SRXN3205’s SSL VPN portal can provide two levels of SSL service to the remote user:
VPN Tunnel
The SRXN3205 can provide the full network connectivity of a VPN tunnel using the remote
user’s browser in the place of a traditional IPsec VPN client. The SSL capability of the user’s
Page 130 / 218
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual
7-2
Virtual Private Networking Using SSL
v1.0, October 2008
browser provides authentication and encryption, establishing a secure connection to the
firewall. Upon successful connection, an ActiveX-based SSL VPN client is downloaded to the
remote PC that will allow the remote user to virtually join the corporate network. The SSL
VPN Client provides a PPP (point-to-point) connection between the client and the firewall,
and a virtual network interface is created on the user’s PC. The firewall will assign the PC an
IP address and DNS server IP addresses, allowing the remote PC to access network resources
in the same manner as if it were connected directly to the corporate network, subject to any
policy restrictions configured by the administrator.
Port Forwarding
Like VPN Tunnel, Port Forwarding is a web-based client that installs transparently and then
creates a virtual, encrypted tunnel to the remote network. However, Port Forwarding differs
from VPN Tunnel in several ways. For example, Port Forwarding:
Only supports TCP connections, not UDP or other IP protocols.
Detects and reroutes individual data streams on the user’s PC to the Port Forwarding
connection rather than opening up a full tunnel to the corporate network.
Offers more fine grained management than VPN Tunnel. The administrator defines
individual applications and resources that will be available to remote users.
The SSL VPN portal can present the remote user with one or both of these SSL service levels,
depending on the configuration by the administrator.
Planning for SSL VPN
To set up and activate SSL VPN connections, you will perform these basic steps in this order:
1.
Edit the existing SSL Portal or create a new one.
When remote users log in to the SSL firewall, they see a portal page that you can customize to
present the resources and functions that you choose to make available.
2.
Create one or more authentication domains for authentication of SSL VPN users.
When remote users log in to the SSL firewall, they must specify a domain to which their login
account belongs. The domain determines the authentication method to be used and the portal
layout that will be presented, which in turn determines the network resources to which they
will have access. Because you must assign a portal layout when creating a domain, the domain
is created after you have created the portal layout.
3.
Create one or more groups for your SSL VPN users.

Rate

3.5 / 5 based on 2 votes.

Popular NETGEAR Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top