Home » Netgear Manuals » Network Security & Firewall Devices » Netgear SRX5308 » Manual Viewer

Netgear SRX5308 SRX5308 Reference Manual - Page 180

Configuring XAUTH for VPN Clients

UPC - 606449065145

Add to My Manuals
Save this manual to your list of manuals

Page 180 highlights

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Configuring XAUTH for VPN Clients Once the XAUTH has been enabled, you must establish user accounts on the User Database to be authenticated against XAUTH, or you must enable a RADIUS-CHAP or RADIUS-PAP server. Note: You cannot modify an existing IKE policy to add XAUTH while the IKE policy is in use by a VPN policy. The VPN policy must be disabled before you can modify the IKE policy. To enable and configure XAUTH: 1. Select VPN > IPSec VPN from the menu. The IPsec VPN submenu tabs display, with the IKE Policies screen in view (see Figure 5-20 on page 5-22). 2. In the List of IKE Policies table, click the Edit table button to the right of the IKE policy for which you want to enable and configure XAUTH. The Edit IKE Policy screen displays. This screen shows the same fields as the Add IKE Policy screen (see Figure 5-21 on page 5-24). 3. In the Extended Authentication section of the screen, complete the fields, select the radio buttons, and make your selections from the drop-down lists as explained Table 5-13. Table 5-13. Extended Authentication Settings Item Description (or Subfield and Description) Select one of the following radio buttons to specify whether or not Extended Authentication (XAUTH) is enabled, and-if enabled-which device is used to verify user account information: • None. XAUTH is disabled. This the default setting. • Edge Device. The VPN firewall functions as a VPN concentrator on which one or more gateway tunnels terminate. The authentication modes that are available for this configuration are User Database, RADIUS PAP, or RADIUS CHAP. • IPSec Host. The VPN firewall functions as a VPN client of the remote gateway. In this configuration the VPN firewall is authenticated by a remote gateway with a user name and password combination. Authentication Type For an Edge Device configuration: from the drop-down list, select one of the following authentication types: • User Database. XAUTH occurs through the VPN firewall's user database. Users must be added through the Add User screen (see "User Database Configuration" on page 5-39). • Radius PAP. XAUTH occurs through RADIUS Password Authentication Protocol (PAP). The local user database is first checked. If the user account is not present in the local user database, the VPN firewall connects to a RADIUS server. For more information, see "RADIUS Client Configuration" on page 5-39. • Radius CHAP. XAUTH occurs through RADIUS Challenge Handshake Authentication Protocol (CHAP). For more information, see "RADIUS Client Configuration" on page 5-39. 5-38 Virtual Private Networking Using IPsec Connections v1.0, April 2010

Section	Page
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual	1
Contents	3
About This Manual	11
Conventions, Formats, and Scope	11
How to Print This Manual	12
Revision History	12
Chapter 1 Introduction	13
What Is the ProSafe Gigabit Quad WAN SSL VPN Firewall?	13
Key Features and Capabilities	14
Quad-WAN Ports for Increased Reliability and Outbound Load Balancing	15
Advanced VPN Support for Both IPsec and SSL	15
A Powerful, True Firewall with Content Filtering	16
Security Features	16
Autosensing Ethernet Connections with Auto Uplink	17
Extensive Protocol Support	17
Easy Installation and Management	18
Maintenance and Support	18
Package Contents	19
Hardware Features	19
Front Panel	19
Rear Panel	21
Bottom Panel with Product Label	22
Choosing a Location for the SRX5308	23
Using the Rack-Mounting Kit	23
Chapter 2 Connecting the VPN Firewall to the Internet	25
Understanding the Internet and WAN Configuration Tasks	25
Qualified Web Browsers	26
Logging In to the VPN Firewall	27
Understanding the Web Management Interface Menu Layout	29
Configuring the Internet Connections	31
Automatically Detecting and Connecting	31
Setting the VPN Firewall’s MAC Address	35
Manually Configuring the Internet Connection	35
Configuring the WAN Mode	40
Configuring Network Address Translation	40
Configuring Classical Routing	41
Configuring the Auto-Rollover Mode and Failure Detection Method	42
Configuring Auto-Rollover Mode	42
Configuring the Failure Detection Method	44
Configuring Load Balancing and Optional Protocol Binding	45
Configuring Load Balancing	46
Configuring Protocol Binding (Optional)	47
Configuring Secondary WAN Addresses	49
Configuring Dynamic DNS	51
Configuring Advanced WAN Options	55
Additional WAN-Related Configuration Tasks	58
What to Do Next	59
Chapter 3 LAN Configuration	61
Managing Virtual LANs and DHCP Options	61
Understanding the VPN Firewall’s Port-Based VLANs	62
Assigning and Managing VLAN Profiles	63
VLAN DHCP Options	64
DHCP Server	64
DHCP Relay	65
DNS Proxy	65
LDAP Server	66
Configuring a VLAN Profile	66
Configuring VLAN MAC Addresses and LAN Advanced Settings	71
Configuring Multi-Home LAN IP Addresses on the Default VLAN	72
Managing Groups and Hosts (LAN Groups)	74
Managing the Network Database	75
Adding PCs or Devices to the Network Database	77
Editing PCs or Devices in the Network Database	78
Changing Group Names in the Network Database	78
Setting Up Address Reservation	79
Configuring and Enabling the DMZ Port	80
Managing Routing	84
Configuring Static Routes	85
Configuring Routing Information Protocol	87
Static Route Example	89
Chapter 4 Firewall Protection	91
About Firewall Protection	91
Administrator Tips	92
Using Rules to Block or Allow Specific Kinds of Traffic	92
Services-Based Rules	93
Outbound Rules (Service Blocking)	94
Inbound Rules (Port Forwarding)	96
Order of Precedence for Rules	100
Setting LAN WAN Rules	101
LAN WAN Outbound Services Rules	102
LAN WAN Inbound Services Rules	103
Setting DMZ WAN Rules	104
DMZ WAN Outbound Services Rules	106
DMZ WAN Inbound Services Rules	107
Setting LAN DMZ Rules	108
LAN DMZ Outbound Services Rules	109
LAN DMZ Inbound Services Rules	110
Inbound Rules Examples	111
LAN WAN Inbound Rule: Hosting a Local Public Web Server	111
LAN WAN Inbound Rule: Allowing Videoconference from Restricted Addresses	111
LAN WAN or DMZ WAN Inbound Rule: Setting Up One-to-One NAT Mapping	112
LAN WAN or DMZ WAN Inbound Rule: Specifying an Exposed Host	114
Outbound Rules Example	115
LAN WAN Outbound Rule: Blocking Instant Messenger	115
Configuring Other Firewall Features	116
Attack Checks	116
Setting Session Limits	119
Managing the Application Level Gateway for SIP Sessions	120
Creating Services, QoS Profiles, and Bandwidth Profiles	121
Adding Customized Services	121
Creating Quality of Service (QoS) Profiles	124
Creating Bandwidth Profiles	127
Setting a Schedule to Block or Allow Specific Traffic	130
Content Filtering (Blocking Internet Sites)	131
Understanding the VPN Firewall’s Content Filtering	131
Enabling and Configuring Content Filtering	132
Enabling Source MAC Filtering	134
Setting Up IP/MAC Bindings	136
Configuring Port Triggering	138
Configuring Universal Plug and Play	141
Chapter 5 Virtual Private Networking Using IPsec Connections	143
Considerations for Multi-WAN Port Systems	143
Using the IPsec VPN Wizard for Client and Gateway Configurations	145
Creating Gateway-to-Gateway VPN Tunnels with the Wizard	145
Creating a Client to Gateway VPN Tunnel	150
Using the VPN Wizard Configure the Gateway for a Client Tunnel	150
Using the NETGEAR VPN Client Security Policy Editor to Create a Secure Connection	153
Testing the Connections and Viewing Status Information	158
Testing the VPN Connection	158
NETGEAR VPN Client Status and Log Information	159
Viewing the VPN Firewall IPsec VPN Connection Status	161
Viewing the VPN Firewall IPSec VPN Logs	162
Managing IPsec VPN Policies	162
Configuring IKE Policies	163
IKE Policies Screen	164
Manually Adding or Editing an IKE Policy	165
Configuring VPN Policies	171
VPN Policies Screen	171
Manually Adding or Editing a VPN Policy	173
Configuring Extended Authentication (XAUTH)	179
Configuring XAUTH for VPN Clients	180
User Database Configuration	181
RADIUS Client Configuration	181
Assigning IP Addresses to Remote Users (Mode Config)	184
Mode Config Operation	184
Configuring Mode Config Operation on the VPN Firewall	184
Configuring the ProSafe VPN Client for Mode Config Operation	192
Testing the Mode Config Connection	197
Configuring Keepalives and Dead Peer Detection	197
Configuring Keepalives	198
Configuring Dead Peer Detection	199
Configuring NetBIOS Bridging with IPsec VPN	201
Chapter 6 Virtual Private Networking Using SSL Connections	203
Understanding the SSL VPN Portal Options	203
Planning for an SSL VPN	204
Creating the Portal Layout	206
Configuring Domains, Groups, and Users	209
Configuring Applications for Port Forwarding	210
Adding Servers and Port Numbers	210
Adding a New Host Name	212
Configuring the SSL VPN Client	212
Configuring the Client IP Address Range	213
Adding Routes for VPN Tunnel Clients	215
Using Network Resource Objects to Simplify Policies	216
Adding New Network Resources	216
Editing Network Resources to Specify Addresses	217
Configuring User, Group, and Global Policies	219
Viewing Policies	220
Adding a Policy	221
Accessing the SSL Portal Login Screen	225
Viewing the SSL VPN Connection Status and SSL VPN Logs	227
Chapter 7 Managing Users, Authentication, and Certificates	229
Configuring VPN Authentication Domains, Groups, and Users	229
Configuring Domains	230
Configuring Groups for VPN Policies	234
Creating and Deleting Groups	234
Editing Groups	236
Configuring User Accounts	237
Setting User Login Policies	239
Configuring Login Policies	239
Configuring Login Restrictions Based on IP Address	240
Configuring Login Restrictions Based on Web Browser	242
Changing Passwords and Other User Settings	243
Managing Digital Certificates	245
Understanding the Certificates Screen	246
Managing CA Certificates	247
Managing Self Certificates	248
Generating a CSR and Obtaining a Self Certificate from a CA	249
Viewing and Managing Self Certificates	252
Managing the Certificate Revocation List	252
Chapter 8 Network and System Management	255
Performance Management	255
Bandwidth Capacity	255
Features That Reduce Traffic	256
LAN WAN Outbound Rules and DMZ WAN Outbound Rules (Service Blocking)	256
Content Filtering	258
Source MAC Filtering	258
Features That Increase Traffic	258
LAN WAN Inbound Rules and DMZ WAN Inbound Rules (Port Forwarding)	258
Port Triggering	260
Configuring the DMZ Port	260
For information about how to enable the DMZ port, see “Configuring and Enabling the DMZ Port” on page 3-20. For the procedures on how to configure DMZ traffic rules, see “Setting DMZ WAN Rules” on page 4-14.	261
Configuring Exposed Hosts	261
Configuring VPN Tunnels	261
Using QoS and Bandwidth Assignment to Shift the Traffic Mix	261
Assigning QoS Profiles	261
Monitoring Tools for Traffic Management	262
System Management	262
Changing Passwords and Administrator Settings	262
Configuring Remote Management Access	264
Using the Command-Line Interface	268
Using a Simple Network Management Protocol Manager	268
Managing the SNMP Configuration	268
Managing the VPN Firewall’s SNMP System Information	270
Managing the Configuration File	271
Backing Up Settings	272
Restoring Settings	272
Reverting to Factory Default Settings	273
Upgrading the Firmware and Rebooting the VPN Firewall	273
Configuring Date and Time Service	275
Chapter 9 Monitoring System Access and Performance	277
Enabling the WAN Traffic Meter	277
Activating Notification of Events, Alerts, and Syslogs	281
Viewing Status and Log Screens	285
Viewing the System (Router) Status and Statistics	286
Viewing the Router Status Screen	286
Viewing the Detailed Status Screen	287
Viewing the Router Statistics Screen	291
Viewing the VLAN Status	292
Viewing and Disconnecting Active Users	293
Viewing the VPN Tunnel Connection Status	294
Viewing the VPN Logs	295
Viewing the Port Triggering Status	297
Viewing the WAN Port Connection Status	297
Viewing the Attached Devices and DHCP Log	299
Viewing Attached Devices	299
Viewing the DHCP Log	300
Using the Diagnostics Utilities	301
Sending a Ping Packet or Tracing a Route	302
Looking Up a DNS Address	303
Displaying the Routing Table	304
Rebooting the VPN Firewall	304
Capturing Packets	304
Chapter 10 Troubleshooting and Using Online Support	307
Basic Functioning	308
Power LED Not On	308
Test LED Never Turns Off	308
LAN or WAN Port LEDs Not On	309
Troubleshooting the Web Management Interface	309
When You Enter a URL or IP Address a Time-Out Error Occurs	310
Troubleshooting the ISP Connection	311
Troubleshooting a TCP/IP Network Using the Ping Utility	312
Testing the LAN Path to Your VPN Firewall	313
Testing the Path from Your PC to a Remote Device	313
Restoring the Default Configuration and Password	314
Problems with Date and Time	316
Accessing the Knowledge Base and Documentation	316
Appendix A Default Settings and Technical Specifications	317
Appendix B Network Planning for Multiple WAN Ports	321
What to Consider Before You Begin	321
Cabling and Computer Hardware Requirements	323
Computer Network Configuration Requirements	323
Internet Configuration Requirements	323
Where Do I Get the Internet Configuration Information?	324
Internet Connection Information	324
Overview of the Planning Process	325
Inbound Traffic	327
Inbound Traffic to a Single WAN Port System	327
Inbound Traffic to a Dual WAN Port System	328
Inbound Traffic: Dual WAN Ports for Improved Reliability	328
Inbound Traffic: Dual WAN Ports for Load Balancing	328
Virtual Private Networks	329
VPN Road Warrior (Client-to-Gateway)	331
VPN Road Warrior: Single Gateway WAN Port (Reference Case)	331
VPN Road Warrior: Dual Gateway WAN Ports for Improved Reliability	331
VPN Road Warrior: Dual Gateway WAN Ports for Load Balancing	333
VPN Gateway-to-Gateway	333
VPN Gateway-to-Gateway: Single Gateway WAN Ports (Reference Case)	333
VPN Gateway-to-Gateway: Dual Gateway WAN Ports for Improved Reliability	334
VPN Gateway-to-Gateway: Dual Gateway WAN Ports for Load Balancing	335
VPN Telecommuter (Client-to-Gateway through a NAT Router)	336
VPN Telecommuter: Single Gateway WAN Port (Reference Case)	336
VPN Telecommuter: Dual Gateway WAN Ports for Improved Reliability	337
VPN Telecommuter: Dual Gateway WAN Ports for Load Balancing	338
Appendix C System Logs and Error Messages	339
System Log Messages	340
NTP	340
Login/Logout	341
System Startup	341
Reboot	341
Firewall Restart	342
IPsec Restart	342
Unicast, Multicast, and Broadcast Logs	342
ICMP Redirect Logs	342
Multicast/Broadcast Logs	343
WAN Status	343
Load Balancing	343
Auto-Rollover	344
PPP Logs	345
Resolved DNS Names	347
VPN Log Messages	347
IPsec VPN Logs	347
SSL VPN Logs	354
Traffic Meter Logs	355
Routing Logs	356
LAN to WAN Logs	356
LAN to DMZ Logs	356
DMZ to WAN Logs	356
WAN to LAN Logs	357
DMZ to LAN Logs	357
WAN to DMZ Logs	357
Other Event Logs	358
Session Limit Logs	358
Source MAC Filter Logs	358
Bandwidth Limit Logs	358
DHCP Logs	359
Appendix D Two-Factor Authentication	361
Why Do I Need Two-Factor Authentication?	361
What Are the Benefits of Two-Factor Authentication?	361
What Is Two-Factor Authentication	362
NETGEAR Two-Factor Authentication Solutions	362
Appendix E Related Documents	365
Appendix F Notification of Compliance	367

Match case Limit results 1 per page

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual

5-38

Virtual Private Networking Using IPsec Connections

v1.0, April 2010

Configuring XAUTH for VPN Clients

Once the XAUTH has been enabled, you must establish user accounts on the User Database to be

authenticated against XAUTH, or you must enable a RADIUS-CHAP or RADIUS-PAP server.

To enable and configure XAUTH:

Select

VPN

IPSec VPN

from the menu. The IPsec VPN submenu tabs display, with the IKE

Policies screen in view (see

Figure 5-20 on page 5-22

In the List of IKE Policies table, click the

Edit

table button to the right of the IKE policy for

which you want to enable and configure XAUTH. The Edit IKE Policy screen displays. This

screen shows the same fields as the Add IKE Policy screen (see

Figure 5-21 on page 5-24

In the Extended Authentication section of the screen, complete the fields, select the radio

buttons, and make your selections from the drop-down lists as explained

Table 5-13

Note:

You cannot modify an existing IKE policy to add XAUTH while the IKE policy is

in use by a VPN policy. The VPN policy must be disabled before you can modify

the IKE policy.

Table 5-13.

Extended Authentication

Settings

Item

Description (or Subfield and Description)

Select one of the following radio buttons to specify whether or not Extended Authentication (XAUTH) is

enabled, and–if enabled–which device is used to verify user account information:

•

None

. XAUTH is disabled. This the default setting.

•

Edge Device

. The VPN firewall functions as a VPN concentrator on which one or more gateway

tunnels terminate. The authentication modes that are available for this configuration are User

Database, RADIUS PAP, or RADIUS CHAP.

•

IPSec Host

. The VPN firewall functions as a VPN client of the remote gateway. In this configuration

the VPN firewall is authenticated by a remote gateway with a user name and password combination.

Authentication

Type

For an Edge Device configuration: from the drop-down list, select one of the

following authentication types:

•

User Database

. XAUTH occurs through the VPN firewall’s user database. Users

must be added through the Add User screen (see

“User Database Configuration”

on page 5-39

•

Radius PAP

. XAUTH occurs through RADIUS Password Authentication Protocol

(PAP). The local user database is first checked. If the user account is not present

in the local user database, the VPN firewall connects to a RADIUS server. For

more information, see

“RADIUS Client Configuration” on page 5-39

•

Radius CHAP

. XAUTH occurs through RADIUS Challenge Handshake

Authentication Protocol (CHAP). For more information, see

“RADIUS Client

Configuration” on page 5-39