Filter
Top Products
a. Select Internal DB to display entries for the internal database.
b. Click Add User.
c. Enter username and password information for the client.
d. Click Enabled to activate this entry on creation.
e. Click Apply.
2. Navigate to the Configuration > Security > Authentication > L3 Authentication window.
a. Under default VPN Authentication Profile, select Server Group.
b. Select the internal server group from the drop-down menu.
c. Click Apply.
3. Navigate to the Configuration > Advanced Services > VPN Services > IPsec window.
a. Select Enable L2TP (this is enabled by default).
b. Select PAP for Authentication Protocols.
4. Configure other VPN settings as described in "Configuring a VPN for L2TP/IPsec with IKEv2 in the WebUI" on
page 279, while ensuring that the following settings are selected:
l In the L2TP and XAUTH Parameters section of the Configuration>VPN Services>IPsec tab, enable L2TP.
l In the L2TP and XAUTH Parameters section of the Configuration>VPN Services>IPsec tab, select PAP as
the authentication protocol.
In the CLI
The following example uses the command-line interface to configure a L2TP/IPsec VPN for username/password
clients using IKEv1.
(host)(config) #vpdn group l2tp
enable
ppp authentication pap
client dns 101.1.1.245
(host)(config) #ip local pool pw-clients 10.1.1.1 10.1.1.250
(host)(config) #crypto isakmp key <key> address 0.0.0.0 netmask 0.0.00
(host)(config) #crypto isakmp policy 1
authentication pre-share
Next, issue the following command in
enable
mode to configure client entries in the internal database:
(host)(config) #local-userdb add username <name> password <password>
Configuring Remote Access VPNs for XAuth
Extended Authentication (XAuth) is an Internet Draft that allows user authentication after IKE Phase 1
authentication. This authentication prompts the user for a username and password, with user credentials
authenticated with an external RADIUS or LDAP server or the controller’s internal database. Alternatively, the user
can start the client authentication with a smart card which contains a digital certificate to verify the client
credentials. IKE Phase 1 authentication can be done with either an IKE preshared key or digital certificates.
Configuring VPNs for XAuth Clients using Smart Cards
This section describes how to configure a remote access VPN on the controller for Cisco VPN XAuth clients using
smart cards. (A smart card contains a digital certificate which allows user-level authentication without the user
entering a username and password.) IKE Phase 1 authentication can be done with either an IKE preshared key or
DellPowerConnectW-SeriesArubaOS6.2 | User Guide VirtualPrivateNetworks | 285