ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual
Virtual Private Networking 5-39
v1.1, August 2010
Configuring Extended Authentication (XAUTH)
When connecting many VPN clients to a VPN gateway router, an administrator may want a unique
user authentication method beyond relying on a single common preshared key for all clients.
Although the administrator could configure a unique VPN policy for each user, it is more
convenient for the VPN gateway router to authenticate users from a stored list of user accounts.
XAUTH provides the mechanism for requesting individual authentication information from the
user, and a local User Database or an external authentication server, such as a RADIUS server,
provides a method for storing the authentication information centrally in the local network.
XAUTH is enabled when adding or editing an IKE policy. Two types of XAUTH are available:
• Edge Device. If this is selected, the VPN firewall is used as a VPN concentrator where one or
more gateway tunnels terminate. If this option is chosen, you must specify the authentication
type to be used in verifying credentials of the remote VPN gateways: User Database,
RADIUS-PAP, or RADIUS-CHAP.
• IPSec Host. If you want authentication by the remote gateway, enter a user name and
password to be associated with this IKE policy. If this option is chosen, the remote gateway
must specify the user name and password used for authenticating this gateway.
Configuring XAUTH for VPN Clients
Once the XAUTH has been enabled, you must establish user accounts on the local database to be
authenticated against XAUTH, or you must enable a RADIUS-CHAP or RADIUS-PAP server.
To enable and configure XAUTH:
1. Select VPN from the main menu and Policies from the submenu. The Policies submenu tabs
appear with the IKE Policies screen in view (see Figure 5-18 on page 5-16).
Note: If a RADIUS-PAP server is enabled for authentication, XAUTH will first check the
local User Database for the user credentials. If the user account is not present, the
VPN firewall will then connect to a RADIUS server.
Note: You cannot modify an existing IKE policy to add XAUTH while the IKE policy is
in use by a VPN policy. The VPN policy must be disabled before you can modify
the IKE policy.