How Local User Authentication Works: RADIUS, Privilege Groups and X.509 Certificates

STEP 3 On the Create/Edit Privilege Group, type or edit the Privilege Group Name.

The name can be up to 32 alphanumeric characters, using only a to z, A to Z, 0 to 9, - (hyphen) and _ (underscore).

STEP 4

STEP 5

Check or uncheck each of the following:

VPN Client Access — allow/deny VPN client dialup, inter-site VPN access and Internet access.

Policy Authentication — allow/deny user authentication for firewall rules.

Content Filter Bypass — allow/deny user to bypass web filtering.

Click Create/Save to save the changes and return to the Privilege Groups page.

Click Cancel to return to the Privilege Groups page without saving the changes.

X.509 Certificates

Overview

The X family supports the use of X.509 certificates for VPN authentication and for secure management of your device. The use of certificates for verifying the identity of a device on the network for VPN is a more secure and scalable alternative to using a shared secret.

A certificate is a data file that is used to verify the identity of a device. The file contains unique information about the device, such as a Distinguished Name (DN), email address or domain name, which can be used to verify the identity of the device. The certificate links this identity to a public key value, which is also contained within the certificate.

Authentication depends on the integrity of the public key value in the certificate. The role of a certificate is to guarantee that the public key bound to the certificate can be used to verify the identity contained in the certificate.

To prevent users from tampering with public keys, all certificates must be signed by a certification authority (CA). A CA is a trusted source that confirms the integrity of the public key value in a certificate. This could be a CA server within an organization, or a public company like Verisign.

On the X family device, X.509 certificates are used for the following:

Site-to-site VPN authentication

Client-to-site VPN authentication

From the LSM, you can manage the following items required to perform authentication with X.509 Certificates:

CA Certificate — Public certificate issued by a Certificate Authority. CA Certificates are used to validate received local certificates that were signed by this CA for other devices. The X family device supports the PKCS#7 or DER format for importing CA Certificates. An organization can install its

X Family LSM User’s Guide V 2.5.1

255