Filter
Top Products
284 | VirtualPrivateNetworks DellPowerConnectW-SeriesArubaOS6.2 | User Guide
Working with Smart Card Clients using IKEv1
Microsoft clients using IKEv1 (including clients running Windows Vista or earlier versions of Windows) only
support machine authentication using a pre-shared key. In this scenario, user-level authentication is performed by an
external RADIUS server using PPP EAP-TLS and client and server certificates are mutually authenticated during the
EAP-TLS exchange. During the authentication, the controller encapsulates EAP-TLS messages from the client into
RADIUS messages and forwards them to the server.
On the controller, you need to configure the L2TP/IPsec VPN with EAP as the PPP authentication and IKE policy
for preshared key authentication of the SA.
NOTE: On the RADIUS server, you must configure a remote access policy to allow EAP authentication for smart card users and
select a server certificate. The user entry in Microsoft Active Directory must be configured for smart cards.
To configure a L2TP/IPsec VPN for clients using smart cards and IKEv1, ensure that the following settings are
configured:
1. On a RADIUS server, you must configure a remote access policy to allow EAP authentication for smart card
users and select a server certificate. The user entry in Microsoft Active Directory must be configured for smart
cards. (For detailed information on creating and managing user roles and policies, see "Roles and Policies" on page
296.)
l Ensure that RADIUS server is part of the server group used for VPN authentication.
l Configure other VPN settings as described in "Configuring a VPN for L2TP/IPsec with IKEv2 in the WebUI" on
page 279, while selecting the following options:
n Select Enable L2TP
n Select EAP for the Authentication Protocol.
n Define an IKE Shared Secret to be used for machine authentication. (To make the IKE key global, specify
0.0.0.0 and 0.0.0.0 for both subnet and subnet mask).
n Configure the IKE policy for Pre-Share authentication.
Configuring a VPN for Clients with User Passwords
This section describes how to configure a remote access VPN on the controller for L2TP/IPsec clients with user
passwords. As described previously in this section, L2TP/IPsec requires two levels of authentication: first, IKE SA
authentication, and then user-level authentication with the PAP authentication protocol. IKE SA is authenticated
with a preshared key, which you must configure as an IKE shared secret on the controller. User-level authentication
is performed by the controller’s internal database.
On the controller, you need to configure the following:
l AAA database entries for username and passwords
l VPN authentication profile which defines the internal server group and the default role assigned to authenticated
clients
l L2TP/IPsec VPN with PAP as the PPP authentication (IKEv1 only).
l (For IKEv1 clients) An IKE policy for preshared key authentication of the SA.
l (For IKEv2 clients) A server certificate to authenticate the controller to clients and a CA certificate to
authenticate VPN clients.
In the WebUI
Use the following procedure the configure L2TP/IPsec VPN for username/password clients via the WebUI:
1. Navigate to the Configuration > Security > Authentication > Servers window.