VPN |
 |
|
XAUTH Server |
When connecting many VPN clients to a VPN gateway router, XAUTH allows
authentication of users beyond the pre-shared key authentication. Although you
could configure a unique VPN policy for each user, it would be convenient if the
VPN gateway router authenticated users from a stored list of user accounts or
with an external authentication server such as a RADIUS server. |
XAuth Server |
The XAuth server is disabled by default. To enable it, select
Yes. |
Automatic Association |
The XAuth server generates a policy and establishes an SA based on the settings
below. |
Encryption Algorithm: The algorithm used to negotiate the SA |
Authentication Algorithm: Specify the authentication algorithm |
Authentication Method: Select
Pre-shared Key for a simple password based key.
Selecting RSA-Signature will disable the
Pre-shared Key text box and uses the
Active Self Certificate uploaded in the
Certificates page. |
Diffie-Hellman (DH) Group: The Diffie-Hellman algorithm is used when exchanging
keys. The
DH Group sets the algorithm strength in bits. (This setting must match
the settings of the remote VPN.) |
SA-Lifetime (sec): The time after which the SA expires and is negotiated. A
shorter lifetime will improve security, but will add a negotiation delay every
time the SA expires. |
Mode Configuration |
XAuth also allows specification of IP addresses and other information for
accessing the tunnel. |
IP Address Pool: Specify the start and end IP addresses that will be assigned to
clients connecting to the XAuth server |
WINS Server: IP Address of a WINS server for name resolution. This field is
optional. |
DNS Server: IP Address of a DNS server for name resolution. |
Authentication Type: Select the user database which will be used to verify
account information. Select
System Database to verify against the router’s user
database. Users must be added thorough the
User Database page. To use an
external RADIUS server, select either
RADIUS – CHAP or
RADIUS – PAP, depending
on the authentication mode accepted by the RADIUS server. |
Note: If
RADIUS – PAP is selected, the router will first check in the
System
Database to see if the user credentials are available. If the user account is
not present, the router will then connect to the RADIUS server. |
PFS Group: Select the PFS group to will be used for the Proposal phase of
building the tunnel. |
Traffic Tunnel Security Level |
To configure the SA that will be negotiated by the tunnel, configure the
following fields: |
PFS Key Group: Enable
Perfect Forward Secrecy (PFS) to improve security. While
this is slower, it will ensure that a Diffie-Hellman exchange is performed for
every IKE phase-2 negotiation. |
SA Lifetime: The time, in seconds after which the SA will expire and will be
renegotiated. |
SA Lifebyte: The number of bytes that are transferred through the tunnel after
which the SA expires. |
Note: If both,
Lifetime and
Lifebyte are mentioned the SA will expire for
whichever occurs first. |
Encryption Algorithm: The algorithm used to encrypt the data. |
Integrity Algorithm: Algorithm used to verify the integrity of the data. |
Click
Apply to save the settings. |
Click
Reset to discard any changes and revert to the previous settings. |
|