VPN close
XAUTH Server
When connecting many VPN clients to a VPN gateway router, XAUTH allows authentication of users beyond the pre-shared key authentication. Although you could configure a unique VPN policy for each user, it would be convenient if the VPN gateway router authenticated users from a stored list of user accounts or with an external authentication server such as a RADIUS server.
XAuth Server
The XAuth server is disabled by default. To enable it, select Yes.
Automatic Association
The XAuth server generates a policy and establishes an SA based on the settings below.
Encryption Algorithm: The algorithm used to negotiate the SA
Authentication Algorithm: Specify the authentication algorithm
Authentication Method: Select Pre-shared Key for a simple password based key. Selecting RSA-Signature will disable the Pre-shared Key text box and uses the Active Self Certificate uploaded in the Certificates page.
Diffie-Hellman (DH) Group: The Diffie-Hellman algorithm is used when exchanging keys. The DH Group sets the algorithm strength in bits. (This setting must match the settings of the remote VPN.)
SA-Lifetime (sec): The time after which the SA expires and is negotiated. A shorter lifetime will improve security, but will add a negotiation delay every time the SA expires.
Mode Configuration
XAuth also allows specification of IP addresses and other information for accessing the tunnel.
IP Address Pool: Specify the start and end IP addresses that will be assigned to clients connecting to the XAuth server
WINS Server: IP Address of a WINS server for name resolution. This field is optional.
DNS Server: IP Address of a DNS server for name resolution.
Authentication Type: Select the user database which will be used to verify account information. Select System Database to verify against the router’s user database. Users must be added thorough the User Database page. To use an external RADIUS server, select either RADIUS – CHAP or RADIUS – PAP, depending on the authentication mode accepted by the RADIUS server.
Note: If RADIUS – PAP is selected, the router will first check in the System Database to see if the user credentials are available. If the user account is not present, the router will then connect to the RADIUS server.
PFS Group: Select the PFS group to will be used for the Proposal phase of building the tunnel.
Traffic Tunnel Security Level
To configure the SA that will be negotiated by the tunnel, configure the following fields:
PFS Key Group: Enable Perfect Forward Secrecy (PFS) to improve security. While this is slower, it will ensure that a Diffie-Hellman exchange is performed for every IKE phase-2 negotiation.
SA Lifetime: The time, in seconds after which the SA will expire and will be renegotiated.
SA Lifebyte: The number of bytes that are transferred through the tunnel after which the SA expires.
Note: If both, Lifetime and Lifebyte are mentioned the SA will expire for whichever occurs first.
Encryption Algorithm: The algorithm used to encrypt the data.
Integrity Algorithm: Algorithm used to verify the integrity of the data.
Click Apply to save the settings.
Click Reset to discard any changes and revert to the previous settings.
 

2006 © Copyright NETGEAR®

close