Table of Contents
Advertisement
roaming clients that will connect using IKEv2 with EAP authentication and using a RADIUS server
as the AAA source.
There are three parts to the setup:
•
Correct installation of certificates in the client and NetDefendOS.
•
Correct configuration of NetDefendOS.
•
Correct configuration of the RADIUS server used for authentication.
These three parts will be discussed in the separate sections below
Installation of Certificates in the Client and NetDefendOS
EAP requires authentication using certificates and the requirements for the installed certificates
should be as follows:
•
The client should have the appropriate CA root certificate installed.
With Windows, the certificate must be installed in specific location. NetDefendOS only
supports a Windows client running Windows 7 or later. The Windows installation steps are
described in detail below and must be to a specific location for IKEv2 to function correctly.
The certificate setup with other client platforms, such as Apple iOS or Android, should be
straightforward and will not described in detail.
•
The same CA root certificate used by the client should also be installed in NetDefendOS.
•
In addition, NetDefendOS should also have a host certificate (also known as the gateway
certificate) installed which is signed by the root CA. This host certificate must have the
following properties:
i.
Either the Common Name (CN) or the Subject Alternative Name (SAN) must contain either
the IP address of the IPsec tunnels local endpoint (the IP address the client connects to)
or an FQDN that resolves to that IP address.
ii.
The serverAuth property should be set.
CA Root Certificate Installation for Windows Clients
The following is a description of certificate installation for a Windows 7 client. This will be similar
for later Windows versions (earlier versions are not supported).
1.
Start the Microsoft Management Console (mmc) and add the Certificates snap-In.
2.
Select the Computer account option.
3.
Open the folder Certificates (Local Computer) > Trusted Root Certification Authorities >
Certificates.
4.
Select the Import option to start the Certificate Import Wizard.
5.
Select the CA root certificate file to be imported and install it in the Trusted Root Certification
Authorities store.
Note that the certificate file should never be double-clicked. If it is, the content will end up
in the Current User instead of the Local Computer section of the Windows registry and it will
715
Chapter 9: VPN
- Quick Links:
- User Manual
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
