Filter
Top Products
286 | VirtualPrivateNetworks DellPowerConnectW-SeriesArubaOS6.2 | User Guide
digital certificates; for XAuth clients using smart cards, the smart card digital certificates must be used for IKE
authentication. The client is authenticated with the internal database on the controller.
On the controller, you need to configure the following:
1. Add entries for Cisco VPN XAuth clients to the controller’s internal database, or to an external RADIUS
NOTE: For each client, you need to create an entry in the internal database with the entire Principal name (SubjectAltname in X.509
certificates) or Common Name as it appears on the certificate.
1. or LDAP server. For details on configuring an authentication server, see "Authentication Servers" on page 168
2. Verify that the server with the client data is part of the server group associated with the VPN authentication
profile.
3. In the L2TP and XAUTH Parameters section of the Configuration>VPN Services>IPsec tab, enable L2TP.
4. In the L2TP and XAUTH Parameters section of the Configuration>VPN Services>IPsec tab, enable XAuth to
enable prompting for the username and password.
5. The Phase 1 IKE exchange for XAuth clients can be either Main Mode or Aggressive Mode. Aggressive Mode
condenses the IKE SA negotiations into three packets (versus six packets for Main Mode). In the Aggressive
Mode section of the Configuration>VPN Services>IPsec tab, Enter the authentication group name for
aggressive mode to associate this setting to multiple clients. Make sure that the group name matches the
aggressive mode group name configured in the VPN client software.
6. Configure other VPN settings as described in "Configuring a VPN for L2TP/IPsec with IKEv2 in the WebUI" on
page 279, while ensuring that the following settings are selected
l In the L2TP and XAUTH Parameters section of the Configuration>VPN Services>IPSEC tab, enable
L2TP.
l n the L2TP and XAUTH Parameters section of the Configuration>VPN Services>IPSEC tab, enable
XAuth to enable prompting for the username and password.
n Define an IKE policy to use RSA or ECDSA authentication.
The following example describes the steps to use the command-line interface to configure a VPN for Cisco Smart
Card Clients using certificate authentication and IKEv1, where the client is authenticated against user entries added
to the internal database:
(host)(config) #aaa authentication vpn default
server-group internal
(host)(config) #no crypto-local isakmp xauth
(host)(config) #vpdn group l2tp
enable
client dns 101.1.1.245
(host)(config) #ip local pool sc-clients 10.1.1.1 10.1.1.250
(host)(config) #crypto-local isakmp server-certificate MyServerCert
(host)(config) #crypto-local isakmp ca-certificate TrustedCA
(host)(config) #crypto isakmp policy 1
authentication rsa-sig
Enter the following command in enable mode to configure client entries in the internal database:
(host)(config) #local-userdb add username <name> password <password>