284| Virtual Private Net works DellPowerConnect W- Series ArubaOS 6.2 | User Guide

Working w ith Smart Card C lients using IKEv1

Microsoft clients using IKEv1 (including clientsrunning Windows Vista or earlier versions of Windows) only
support machineauthenticati on using a pre-sharedkey. In this s cenario,user-level authentication is performed by an
externalRAD IUS server using PPP EAP-TLS and client and server certificates are mutually authenticated during the
EAP-TLS exchange.D uringthe authentication, the controller encapsulates EAP-TLS messages from the client into
RADIUS messages and forwards them to the server.
Ont heco ntroller,you need to configure the L2TP/IPsec VPN wit hE AP as the PPP authentication and IKE po licy
for presharedkey authentication o f the SA.
NOTE:On the RADIUS server, you must configure a remote accesspol icy toal low EAP authentication for smartcard users and
selecta server certificate. The user entry in Microsoft ActiveDirectory must be configured for smart cards.
To configure a L2TP/IPsec VPN for clients using smart cards and IKEv1, ensure that the following settings are
configured:
1. On a RAD IUS server,you must configure a remote access policy to allow EAP authenticati on forsmart card
usersand select a server certificate. The user entry in Microsoft Active D irectory must be configured for smart
cards.(For detailed information on creating and managing user roles and policies, see "Roles and Policies" on page
296.)
lEnsuret hat RADIUS server is part of the s ervergroup used for VPN authenticat ion.
lConfigureot herVP N settings as described in "Configuring a VPN for L2TP /IPsec with IKEv2 in the WebUI" on
page 279, while selecting the following options:
nSelect EnableL2TP
nSelect EAPfor the A uthentication Protocol.
nDefine anI KE SharedSecret to be used formachine authentication. (To make theI KE keyglobal, specify
0.0.0.0 and 0.0.0.0 for both subnet and subnetmask).
nConfigurethe I KE policy for Pre-Share authentication.
Configuring a VPN f or Clients with User Pass words
This section describes how to c onfigurea remote access VPN on the controller for L2TP/IPsec clients with user
passwords. As described previously in this section, L2TP/IPsec requirest wo levels of authentication: first, IKE SA
authentication, and then user-levelauthentication with t heP AP authentication protocol. IKE SA is authenticated
with a preshared key, which you must configure as an IKE shared secret on the co ntroller.User-level authentication
is performedby the controller’si nternaldatabase.
Ont heco ntroller,you need to configure the following:
lAAA database entries for username and passwords
lVPN authentication profile which defines the internalserver group and the defaultrole assigned to authenticated
clients
lL2TP/IPsec VPN wi th PAP as the PPP authentication (IKEv1 o nly).
l(For IKEv1 clients) An IKE policy for preshared key authentication of the SA.
l(For IKEv2 clients) A server certificate to authenticate the controller to clients and a CA certificate to
authenticate VPN clients.
In the WebUI
Use the followingprocedure the configure L2TP/IPsec VPN for username/password clients via the WebUI:
1. N avigate to the Configuration > Security > Authentication > Servers window.