NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual

3-2

Authenticating Users

v1.1, November 2006

All of the configured domains will be listed in the table in the Domains window. The domains are

listed in the order in which they were created. By default, the geardomain authentication domain is

already defined, using the SSL VPN Concentrator’s local internal user database for user

authentication.

Additional domains may be created that use the internal user database authentication or require

authentication to remote authentication servers. The SSL VPN Concentrator supports RADIUS

(

PAP, CHAP, MSCHAP, and MSCHAPV2

), LDAP, NT Domain, and Active Directory

authentication in addition to internal user database authentication.

Because a portal layout (such as portal pages, themes, banners, etc.) must be associated with a

domain, multiple domains are necessary if you wish to display different portal layouts to different

users.

Local User Database Authentication

You can create multiple domains that authenticate users with user names and passwords stored in a

local user database on the SSL VPN Concentrator.

To add a new authentication domain using the local user database:

1.

In the Domains menu, click Add Domain. An Add Domain window similar to the following

displays.

2.

From the Authentication Type pull-down menu, select Local User Database.

3.

In the Domain Name field, enter a descriptive name for the authentication domain. This is the

domain name users will select in order to log into the SSL VPN portal.

Figure 3-2

NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual

Authenticating Users

3-3

v1.1, November 2006

4.

In the Portal Layout Name pull-down menu, select the name of the layout. The default layout

is SSL-VPN. You can define additional layouts in the Portal Layouts screen.

5.

To force users to supply a valid digital certificate before granting access, check the Require

client digital certificates radio box. The CNAME of the client certificate must match the user

name that the user supplies to log in and the certificate must be generated by a certificate

authority (CA) that is trusted by SSL VPN Concentrator.

6.

Click Apply to update the configuration. Once the domain has been added, the domain is

displayed in the table on the Domains screen

RADIUS and NT Domain Authentication

For authentication to RADIUS or Microsoft NT domains (using Kerberos), you can individually

define authentication, authorization, and accounting (AAA) users and groups. This is not required,

but it allows you to create separate policies or bookmarks for individual AAA users.

When a user logs in, the SSL VPN Concentrator will validate with the appropriate RADIUS or NT

server that the user is authorized to log in. If the user is authorized, the SSL VPN Concentrator will

check to see if a user exists in the SSL VPN Concentrator Users and Groups database. If the user is

defined, then the policies and bookmarks defined for the user will apply.

For example, if you create a RADIUS domain in the SSL VPN Concentrator called “Miami

RADIUS server”, you can add users to groups that are members of the “Miami RADIUS server”

domain. These user names must match the names configured in the RADIUS server. Then, when

users log in to the portal, policies, bookmarks and other user settings will apply to the users. If the

AAA user does not exist in the SSL VPN Concentrator, then only the global settings, policies and

bookmarks will apply to the user.

Configuring for RADIUS Domain Authentication

To create a domain with Radius authentication:

1.

Click Add Domain. An Add Domain window displays.

NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual

3-4

Authenticating Users

v1.1, November 2006

2.

From the Authentication Type pull-down menu, select a RADIUS domain. The Add Domain

window displays the fields for a domain for Radius authentication.

3.

In the Domain Name field, enter a descriptive name for the authentication domain. This is the

domain name users will select in order to log into the SSL VPN portal.

4.

In the Radius Server Address field, enter the IP address or domain name of the Radius server.

5.

If an authentication secret is required by the Radius server, enter it in the Secret Password

field.

6.

From the Portal Layout Name drop-down menu, select the name of the layout. The default

layout is SSL-VPN. You can define additional layouts in the Portal Layouts page.

7.

Check the Require client digital certificates checkbox to force users to supply a valid digital

certificate before granting access. The CNAME of the client certificate must match the user

name that the user supplies to log in and the certificate must be generated by a certificate

authority (CA) that is trusted by SSL VPN Concentrator.

8.

Click Apply to update the configuration. Once the domain has been added, the domain

displays in the table on the Domains screen.

Figure 3-3

NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual

Authenticating Users

3-5

v1.1, November 2006

Configuring for NT Domain Authentication

To configure NT Domain authentication, click Add Domain. An Add Domain window displays. In

the Add Domain window:

1.

From the Authentication Type menu, select NT Domain. The Add Domain window displays

the fields for a domain with NT authentication:

2.

In the Domain Name field, enter a descriptive name for the authentication domain. This is the

domain name selected by users when they authenticate to the SSL VPN portal. It may be the

same value as the NT Domain Name.

3.

In the NT Server Address field, enter the IP address or host and domain name of the server.

4.

In the NT Domain Name field, enter the NT authentication domain. This is the domain name

configured on the Windows authentication server for network authentication.

5.

From the Portal Layout Name pull-down menu, select the name of the layout. The default

layout is SSL-VPN. You can define additional layouts in the Portal Layouts page.

Figure 3-4

NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual

3-6

Authenticating Users

v1.1, November 2006

6.

To force users to supply a valid digital certificate before granting access, check the Require

client digital certificates radio box. The CNAME of the client certificate must match the user

name that the user supplies to log in and the certificate must be generated by a certificate

authority (CA) that is trusted by the SSL VPN Concentrator.

7.

Click Apply to update the configuration. Once the domain has been added, the domain

displays in the table in the Domains screen.

LDAP Authentication

LDAP (Lightweight Directory Access Protocol) is a standard for querying and updating a

directory. Since LDAP supports a multilevel hierarchy (for example, groups or organizational

units), the SSL VPN Concentrator can query this information and provide specific group policies

or bookmarks based on LDAP attributes. By configuring LDAP attributes, the SSL VPN

Concentrator administrator can leverage the groups that have already been configured in an LDAP

or Active Directory database, rather than manually recreating the same groups in the SSL VPN

Concentrator.

Once an LDAP authentication domain is created, a default LDAP group will be created with the

same name as the LDAP domain name. Although you can add additional groups to or delete

groups from this domain, you cannot delete the default LDAP group.

For an LDAP group, you can define LDAP attributes. For example, you can specify that users in

an LDAP group must be members of a certain group or organizational unit defined on the LDAP

server. Or you can specify a unique LDAP distinguished name.

To add an LDAP authentication domain, see

“Authentication Domains” in Chapter 3

.

Sample LDAP Attributes

You can enter up to 4 LDAP attributes per group. The following are some example LDAP

attributes of Active Directory LDAP users:

Note:

The Microsoft Active Directory database uses an LDAP organization schema. The

Active Directory database can be queried using Kerberos authentication (the

standard authentication type; this is labeled “Active Directory” domain

authentication in the SSL VPN Concentrator), NTLM authentication (labeled “NT

Domain” authentication in the SSL VPN Concentrator), or using LDAP database

queries. So, an LDAP domain configured in the SSL VPN Concentrator can

authenticate to an Active Directory server.