ProSecure Unified Threat Management (UTM) Appliance Reference Manual
Virtual Private Networking Using IPsec Connections 7-39
v1.0, January 2010
You can enable XAUTH when you manually add or edit an IKE policy. Two types of XAUTH are
available:
• Edge Device. The UTM is used as a VPN concentrator on which one or more gateway tunnels
terminate. You must specify the authentication type that must be used during verification of
the credentials of the remote VPN gateways: User Database, RADIUS-PAP, or RADIUS-
CHAP.
• IPsec Host. Authentication by the remote gateway through a user name and password that are
associated with the IKE policy. The user name and password that are used to authenticate the
UTM must be specified on the remote gateway.
Configuring XAUTH for VPN Clients
Once the XAUTH has been enabled, you must establish user accounts on the User Database to be
authenticated against XAUTH, or you must enable a RADIUS-CHAP or RADIUS-PAP server.
To enable and configure XAUTH:
1. Select VPN > IPSec VPN from the menu. The IPsec VPN submenu tabs appear with the IKE
Policies screen in view (see Figure 7-20 on page 7-24).
2. In the List of IKE Policies table, click the Edit table button to the right of the IKE policy for
which you want to enable and configure XAUTH. The Edit IKE Policy screen displays. This
screen shows the same field as the Add IKE Policy screen (see Figure 7-21 on page 7-26).
3. Locate the Extended Authentication section on the screen.
Note: If a RADIUS-PAP server is enabled for authentication, XAUTH first checks the
local user database for the user credentials. If the user account is not present, the
UTM then connects to a RADIUS server.
Note: You cannot modify an existing IKE policy to add XAUTH while the IKE policy is
in use by a VPN policy. The VPN policy must be disabled before you can modify
the IKE policy.