Page 36 / 120 Scroll up to view Page 31 - 35
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual
3-2
Authenticating Users
v1.1, November 2006
All of the configured domains will be listed in the table in the Domains window. The domains are
listed in the order in which they were created. By default, the geardomain authentication domain is
already defined, using the SSL VPN Concentrator’s local internal user database for user
authentication.
Additional domains may be created that use the internal user database authentication or require
authentication to remote authentication servers. The SSL VPN Concentrator supports RADIUS
(
PAP, CHAP, MSCHAP, and MSCHAPV2
), LDAP, NT Domain, and Active Directory
authentication in addition to internal user database authentication.
Because a portal layout (such as portal pages, themes, banners, etc.) must be associated with a
domain, multiple domains are necessary if you wish to display different portal layouts to different
users.
Local User Database Authentication
You can create multiple domains that authenticate users with user names and passwords stored in a
local user database on the SSL VPN Concentrator.
To add a new authentication domain using the local user database:
1.
In the Domains menu, click Add Domain. An Add Domain window similar to the following
displays.
2.
From the Authentication Type pull-down menu, select Local User Database.
3.
In the Domain Name field, enter a descriptive name for the authentication domain. This is the
domain name users will select in order to log into the SSL VPN portal.
Figure 3-2
Page 37 / 120
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual
Authenticating Users
3-3
v1.1, November 2006
4.
In the Portal Layout Name pull-down menu, select the name of the layout. The default layout
is SSL-VPN. You can define additional layouts in the Portal Layouts screen.
5.
To force users to supply a valid digital certificate before granting access, check the Require
client digital certificates radio box. The CNAME of the client certificate must match the user
name that the user supplies to log in and the certificate must be generated by a certificate
authority (CA) that is trusted by SSL VPN Concentrator.
6.
Click Apply to update the configuration. Once the domain has been added, the domain is
displayed in the table on the Domains screen
RADIUS and NT Domain Authentication
For authentication to RADIUS or Microsoft NT domains (using Kerberos), you can individually
define authentication, authorization, and accounting (AAA) users and groups. This is not required,
but it allows you to create separate policies or bookmarks for individual AAA users.
When a user logs in, the SSL VPN Concentrator will validate with the appropriate RADIUS or NT
server that the user is authorized to log in. If the user is authorized, the SSL VPN Concentrator will
check to see if a user exists in the SSL VPN Concentrator Users and Groups database. If the user is
defined, then the policies and bookmarks defined for the user will apply.
For example, if you create a RADIUS domain in the SSL VPN Concentrator called “Miami
RADIUS server”, you can add users to groups that are members of the “Miami RADIUS server”
domain. These user names must match the names configured in the RADIUS server. Then, when
users log in to the portal, policies, bookmarks and other user settings will apply to the users. If the
AAA user does not exist in the SSL VPN Concentrator, then only the global settings, policies and
bookmarks will apply to the user.
Configuring for RADIUS Domain Authentication
To create a domain with Radius authentication:
1.
Click Add Domain. An Add Domain window displays.
Page 38 / 120
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual
3-4
Authenticating Users
v1.1, November 2006
2.
From the Authentication Type pull-down menu, select a RADIUS domain. The Add Domain
window displays the fields for a domain for Radius authentication.
3.
In the Domain Name field, enter a descriptive name for the authentication domain. This is the
domain name users will select in order to log into the SSL VPN portal.
4.
In the Radius Server Address field, enter the IP address or domain name of the Radius server.
5.
If an authentication secret is required by the Radius server, enter it in the Secret Password
field.
6.
From the Portal Layout Name drop-down menu, select the name of the layout. The default
layout is SSL-VPN. You can define additional layouts in the Portal Layouts page.
7.
Check the Require client digital certificates checkbox to force users to supply a valid digital
certificate before granting access. The CNAME of the client certificate must match the user
name that the user supplies to log in and the certificate must be generated by a certificate
authority (CA) that is trusted by SSL VPN Concentrator.
8.
Click Apply to update the configuration. Once the domain has been added, the domain
displays in the table on the Domains screen.
Figure 3-3
Page 39 / 120
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual
Authenticating Users
3-5
v1.1, November 2006
Configuring for NT Domain Authentication
To configure NT Domain authentication, click Add Domain. An Add Domain window displays. In
the Add Domain window:
1.
From the Authentication Type menu, select NT Domain. The Add Domain window displays
the fields for a domain with NT authentication:
2.
In the Domain Name field, enter a descriptive name for the authentication domain. This is the
domain name selected by users when they authenticate to the SSL VPN portal. It may be the
same value as the NT Domain Name.
3.
In the NT Server Address field, enter the IP address or host and domain name of the server.
4.
In the NT Domain Name field, enter the NT authentication domain. This is the domain name
configured on the Windows authentication server for network authentication.
5.
From the Portal Layout Name pull-down menu, select the name of the layout. The default
layout is SSL-VPN. You can define additional layouts in the Portal Layouts page.
Figure 3-4
Page 40 / 120
NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual
3-6
Authenticating Users
v1.1, November 2006
6.
To force users to supply a valid digital certificate before granting access, check the Require
client digital certificates radio box. The CNAME of the client certificate must match the user
name that the user supplies to log in and the certificate must be generated by a certificate
authority (CA) that is trusted by the SSL VPN Concentrator.
7.
Click Apply to update the configuration. Once the domain has been added, the domain
displays in the table in the Domains screen.
LDAP Authentication
LDAP (Lightweight Directory Access Protocol) is a standard for querying and updating a
directory. Since LDAP supports a multilevel hierarchy (for example, groups or organizational
units), the SSL VPN Concentrator can query this information and provide specific group policies
or bookmarks based on LDAP attributes. By configuring LDAP attributes, the SSL VPN
Concentrator administrator can leverage the groups that have already been configured in an LDAP
or Active Directory database, rather than manually recreating the same groups in the SSL VPN
Concentrator.
Once an LDAP authentication domain is created, a default LDAP group will be created with the
same name as the LDAP domain name. Although you can add additional groups to or delete
groups from this domain, you cannot delete the default LDAP group.
For an LDAP group, you can define LDAP attributes. For example, you can specify that users in
an LDAP group must be members of a certain group or organizational unit defined on the LDAP
server. Or you can specify a unique LDAP distinguished name.
To add an LDAP authentication domain, see
“Authentication Domains” in Chapter 3
.
Sample LDAP Attributes
You can enter up to 4 LDAP attributes per group. The following are some example LDAP
attributes of Active Directory LDAP users:
Note:
The Microsoft Active Directory database uses an LDAP organization schema. The
Active Directory database can be queried using Kerberos authentication (the
standard authentication type; this is labeled “Active Directory” domain
authentication in the SSL VPN Concentrator), NTLM authentication (labeled “NT
Domain” authentication in the SSL VPN Concentrator), or using LDAP database
queries. So, an LDAP domain configured in the SSL VPN Concentrator can
authenticate to an Active Directory server.

Rate

4 / 5 based on 1 vote.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top