Related Manuals for Nortel NN46110-600
Summary of Contents for Nortel NN46110-600
- Page 1 Nortel VPN Router Security — Servers, Authentication, and Certificates Version 7.00 Part No. NN46110-600 315897-F Rev 02 January 2008 Document status: Standard 600 Technology Park Drive Billerica, MA 01821-4130...
-
Page 2: Restricted Rights Legend
The software license agreement is included in this document. Trademarks Nortel Networks, the Nortel Networks logo, and Nortel VPN Router are trademarks of Nortel Networks. Adobe and Acrobat Reader are trademarks of Adobe Systems Incorporated. - Page 3 If Customer is the United States Government, the following paragraph shall apply: All Nortel Networks Software available under this License Agreement is commercial computer software and commercial computer software documentation and, in the event Software is licensed for or on behalf of the United States Nortel VPN Router Security — Servers, Authentication, and Certificates...
- Page 4 This License Agreement is governed by the laws of the country in which Customer acquires the Software. If the Software is acquired in the United States, then this License Agreement is governed by the laws of the state of New York. NN46110-600...
-
Page 5: Table Of Contents
LDAP encryption keys ..........25 Nortel VPN Router Security — Servers, Authentication, and Certificates... - Page 6 LDAP special characters ..........72 NN46110-600...
- Page 7 Index ............97 Nortel VPN Router Security — Servers, Authentication, and Certificates...
- Page 8 4 Contents NN46110-600...
- Page 9 CRL distribution points ........91 Nortel VPN Router Security — Servers, Authentication, and Certificates...
- Page 10 2 Figures NN46110-600...
- Page 11 Syntax of attributes ......... . 52 Nortel VPN Router Security — Servers, Authentication, and Certificates...
- Page 12 2 Tables NN46110-600...
-
Page 13: Preface
Before you begin This guide is for network managers who are responsible for setting up and configuring the Nortel VPN Router. This guide assumes that you have experience with windowing systems or graphical user interfaces (GUIs) and familiarity with network management. - Page 14 (. . . ) italic text plain Courier text NN46110-600 Indicate required elements in syntax descriptions where there is more than one option. You must choose only one of the options. Do not type the braces when entering the command.
-
Page 15: Acronyms
AVPAIR ISAKMP L2TP LDAP PPTP Nortel VPN Router Security — Servers, Authentication, and Certificates Shows menu paths. Example: Choose Status > Health Check. Separates choices for command keywords and arguments. Enter only one of the choices. Do not type the vertical line when entering the command. -
Page 16: Related Publications
SSL VPN Module 1000, including authentication, networks, user groups, and portal links. • Nortel VPN Router Security—Servers, Authentication, and Certificates (NN46110-600) provides instructions for configuring authentication services and digital certificates. • Nortel VPN Router Security—Firewalls, Filters, NAT, and QoS (NN46110-601) provides instructions for configuring the Stateful Firewall and interface and tunnel filters. -
Page 17: Hard-Copy Technical Manuals
• Nortel VPN Router Configuration—Client (NN46110-306) provides information for setting up client software for the VPN Router. • Nortel VPN Router Configuration—TunnelGuard (NN46110-307) provides information about configuring and using the TunnelGuard feature. -
Page 18: Getting Help From The Nortel Web Site
Nortel Solutions Center. In North America, call 1-800-4NORTEL (1-800-466-7835). Outside North America, go to the following web site to obtain the phone number for your region: www.nortel.com/callus NN46110-600 Takes you directly to the Nortel page for VPN Client documentation located at: www130.nortelnetworks.com/cgi-bin/eserv/cs/ main.jsp?cscat=DOCUMENTATION&resetFilter=... -
Page 19: Getting Help From A Specialist By Using An Express Routing Code
Getting help through a Nortel distributor or reseller If you purchased a service contract for your Nortel product from a distributor or authorized reseller, contact the technical support staff for that distributor or reseller. Nortel VPN Router Security — Servers, Authentication, and Certificates... - Page 20 Preface NN46110-600...
-
Page 21: New In This Release
New in this release The following section details what is new in Nortel VPN Router Security — Servers, Authentication, and Certificates for Release 7.0. Features See the following sections for information about feature changes: • LDAP proxy password management support for Active Directory •... -
Page 22: Ldap 3Des Password Encryption
LDAP 3DES password encryption The VPN Router can store shared secrets that are encrypted with 3DES, but you must first enable the feature. You enable 3DES by selecting Servers > LDAP and clicking TripleDES. For more information about encryption of shared secrets, see 3DES password”... -
Page 23: Radius Dynamic Filtering
You can set up and manage policy filters in the Remote Authentication Dial-In User Service (RADIUS) server. If you use a RADIUS server to authenticate users, the VPN Router can retrieve those policy filters from the server. IPsec user tunnels are dynamically filtered based on attributes returned from the authenticating RADIUS server. - Page 24 New in this release NN46110-600...
-
Page 25: Authentication Services
Chapter 1 Authentication services The remote user attempting to dial in to the VPN Router must be authenticated before gaining access to the corporate network. Authentication is one of the most important functions that the VPN Router provides because it identifies users and drives many other aspects of the user-centric functionality. -
Page 26: Ldap
LDAP is based on directory entries; it has an Internet person schema that defines standard attributes and you can extend it to include other attributes. A directory service is a central repository of user information; for example, the VPN Router supports the following elements using LDAP: • groups •... -
Page 27: Ssl And Digital Certificates
In order for digital certificate authentication to succeed, you must import a certificate from the authority certifying the LDAP server into the VPN Router's certificate store. This type of certificate is often referred to as a CA root certificate. -
Page 28: Authentication Servers
ISAKMP and can appear in any ISAKMP message. Certificate payloads are included in an exchange whenever an appropriate directory service (such as Secure DNS) is not available to distribute certificates. The VPN Router supports Microsoft native client (L2TP/IPsec) PKCS #7 termination in chained environments. -
Page 29: Figure 2 Authentication Servers
If the group name does not exist, the user is given the RADIUS default group’s attributes. If the UID and password are incorrect, the VPN Router rejects the user request. - Page 30 If the UID is not in the profile LDAP (internal or external) database and if you specified LDAP proxy as the next server to check, the UID and password is checked against the LDAP proxy database. Figure 3 illustrates the steps in user validation. NN46110-600...
- Page 31 (see #1 and #2 below) RADIUS UID Found? Reject Request Group ID RADIUS Found in UID Found? LDAP? Reject Request Nortel VPN Router Security — Servers, Authentication, and Certificates LDAP UID Assign Group Found? Attributes Assign Attributes from CA Allow All Default Enabled...
- Page 32 22 Chapter 1 Authentication services NN46110-600...
-
Page 33: Configuring Servers
VPN Router: • Internal LDAP server stores group and user profiles on the internal server of the VPN Router. External LDAP contains the contents of the internal LDAP server exported to a separate external LDAP server. •... -
Page 34: Ldap Database Servers
User name and the password are never transmitted in the clear; a cryptographic hash function (SHA-1) is used to protect the user’s identity. • Mutual authentication between the client and the VPN Router using a keyed hash algorithm (HMAC). •... -
Page 35: Ldap Encryption Keys
The first time that you enable 3DES and configure a 24-byte encryption key, the VPN Router updates the LDAP. This can take some time, depending on the size of the user base. -
Page 36: External Ldap Key Information
VPN Router2 cannot set any key except the one that matches the key of VPN Router1. After VPN Router2 sets a key that matches, then VPN Router2 can configure a new key. If VPN Router 2 sets a new key, then VPN Router1 must configure a matching key before authentication is successful. -
Page 37: 3Des External Ldap Proxy Information
3DES external LDAP proxy information If an external LDAP proxy is used, the VPN Router (which has its own internal LDAP file) does not touch or modify the external LDAP database. However, the VPN Router modifies the Bind Password that is attached to the Bind Name (under LDAP Proxy Servers). -
Page 38: Configuring Ldap User Encryption Key
VPN Router. If you use a user-defined encryption key with an external server, all the VPN Routers that use that external LDAP server must have the same configured encryption key.. -
Page 39: Optimizing Ldap Scheduling
Encryption Key. In the Encryption Key dialog box, enter a character string or a hexadecimal value. Note: The following is applicable only for Nortel VPN Router release 7.05.300 and above. When TripleDes LDAP Encryption is not enabled, the Encryption Key value that you enter is 8 bytes—8 ASCII text characters or 16 hex... - Page 40 <hh:mm> where: hh:mm is the hour (00-24) and the minutes of the specific time. To disable LDAP Optimization Scheduling everyday at a specific time, enter the following command: no ldap-server internal optimize specific-time enable NN46110-600...
-
Page 41: Configuring Internal Ldap Server Authentication
To configure internal LDAP: Select Servers > LDAP. The internal LDAP server is internal to the VPN Router. If you are using more than one VPN Router or if you are using LDAP authentication for other network services, consider using an external LDAP server. - Page 42 Click Import Secure LDAP (SSL) CA Certificate to import a CA certificate dialog box where you can paste a PKCS#7 Base-64 certificate. Select Optimize Database to optimize the internal LDAP database. NN46110-600 This option takes you to an edit...
-
Page 43: Configuring Ldap Proxy Server Authentication
The VPN Router supports authentication against an existing LDAP server rather than creating a second user database for use with the VPN Router. The server can reside on either a private or public network that is connected to the VPN Router. - Page 44 For the remote LDAP server, enter the Master, Slave 1, and Slave 2 LDAP server host names or IP addresses. If the master server becomes unavailable, the VPN Router attempts to initiate a connection with the slave servers. NN46110-600...
- Page 45 Leave this field blank if your LDAP server allows anonymous access. d Enter the bind password, which can consist of up to 32 characters. The VPN Router uses this password to prove its identity (the bind DN) to the LDAP server.
-
Page 46: Ldap Proxy User Authentication And Password Management
LDAP server combined with the error message within the bind response find the password status: expired, expiring, or valid password. You can change the VPN Client password to the proxy server if the password is expired. Figure 6 shows the proxy server access fields. NN46110-600... -
Page 47: Ldap V3-Compliant Ldap Server
This information determines if the user's password is expiring or already expired. When you configure the VPN Router to use an external LDAP authentication server, it informs users that their passwords are expired or expiring and allows the client to change the password. -
Page 48: Ldap Server Without Ldap Control Support
LDAP user bind to the IBM RACF server implements the password change. IBM RACF server returns the LDAP result of either success or invalid credentials. To configure LDAP proxy user authentication and password management: Select Servers > LDAP Proxy. Click Pwd Management. The LDAP Proxy Server window appears. NN46110-600 (Figure 7) -
Page 49: Figure 7 Ldap Proxy Server Password Management
Enter your old password in the Old Password dialog box. Enter your new password in the New Password dialog box. Enter your new password again in the Verify Password dialog box. Click OK. Nortel VPN Router Security — Servers, Authentication, and Certificates... -
Page 50: Monitoring Ldap Servers
The VPN Router monitors the status of all configured external LDAP servers. If the VPN Router has marked a server as up, it monitors the status of the server by binding and conducting a search against the directory every 15 minutes. If the... -
Page 51: Radius Authentication Service
RADIUS on the Services > RADIUS window. Packet flow is from external clients to the VPN Router interface IP and port. You configure the port on the Services > RADIUS window. To configure filters, go to the the Services >... -
Page 52: Configuring Radius Authentication
RADIUS Authentication Servers window to configure up to three servers for remote authentication. It is imperative that the RADIUS servers contain the same user data. The VPN Router uses the alternative RADIUS servers only when it receives no response from the primary RADIUS server. - Page 53 Note: The UID and password are never passed in the clear for an IPsec client, either from the remote client or from the VPN Router communicating with the RADIUS server. If you use PAP authentication for a PPTP session, both the user name and the password are passed in the clear to the VPN Router over the Internet.
-
Page 54: Radius Authentication Class Attribute Values
“Configuring IPsec authentication” on page RADIUS authentication class attribute values Figure 8 shows the relationship between RADIUS authentication class attribute values for VPN Router users. C is the class attribute for country, and OU is the class attribute for organizational unit. NN46110-600 47). -
Page 55: Figure 8 Radius Authentication Class Attribute Values
Company c=US CAD Group The VPN Router supports RADIUS-supplied attributes, such as IP address and MPPE key and additional specific attributes, if they are returned from a RADIUS server. All other returned attributes are ignored. The specific attributes are detailed in Microsoft documentation and defined in RFC 2548. -
Page 56: Radius-Assigned Framed-Ip-Address Attribute
RADIUS-Assigned Framed-IP-Address attribute You configure a RADIUS-Assigned Framed-IP-Address attribute on the RADIUS server for the UID being authenticated by the VPN Router. If you enable Allow Static Addresses (Profiles > Groups > Edit > Connectivity window) for the assigned group, then the tunnel session uses the returned IP address. Otherwise, it assigns an IP pool address. -
Page 57: Configuring Ipsec Authentication
UID as the delimiter value. Select Error Code Pass Thru to allow an error message sent to the VPN Router by the RADIUS server to pass through the VPN Router to the originating client. - Page 58 In the Port field, enter the server port number that you want the RADIUS authentication requests to use. Default is Port 1645. d In the Secret field, enter the password to share with the VPN Router. To enhance overall security, enter a different password for each server. The shared secret encrypts the password between the VPN Router and the server when the tunnel connection uses PAP or SecurID.
- Page 59 RADIUS authentication reply with a UDP port that differs from the originating UDP port. For example. if a RADIUS authentication packet is sent from the VPN Router using the UDP source port 1100 and UDP destination port 1645, the RADIUS server responds with a UDP source port of 8500 and a destination UDP port of 1100.
- Page 60 In the Maximum Transmit Attempts, enter the number of times that you want the VPN Router to try to connect to the RADIUS servers before failing. By default, the VPN Router tries three times. Click the RADIUS Diagnostic Report link to check that your RADIUS Authentication configuration is correct.
-
Page 61: Configuring Radius Dynamic Filters
VPN Router. When a user is authenticated, they are assigned to a group. Part of the group profile specifies that you apply a filter. - Page 62 Do not specify an outacl that denies all traffic, such as ip:outacl#1=deny ip any any, because this prevents the IPsec client from connecting to the banner server. You must have at least one outacl entry specified. You can specify a "deny all" filter in the group. NN46110-600 Description ip:inacl#Num= ip:outacl#Num= Where "Num"...
-
Page 63: Configuring Pptp And Radius
CES# Configuring PPTP and RADIUS To configure PPTP and RADIUS: Select Servers > Radius Auth and click Enable Access to RADIUS Authentication. Enable an authentication method. Click OK. Nortel VPN Router Security — Servers, Authentication, and Certificates End with Ctrl/z. -
Page 64: Configuring Group-Level Radius Authentication
Configuring group-level RADIUS authentication In remote access deployments, if you want to partition users across several different RADIUS servers, the VPN Router can connect to the appropriate server when authenticating a specific user. This group-level authentication is particularly useful for large installations with many different databases, and for carriers that have a business need to keep customer authentication domains separate. -
Page 65: Vendor-Specific Radius Attribute
VPN Router global RADIUS configuration window. This also applies to PPTP and L2TP user tunnels. Vendor-specific RADIUS attribute You can use the vendor-specific RADIUS attribute to store VPN Router group membership information in a RADIUS vendor-specific attribute as well as to the class attribute. - Page 66 In the event of a system crash, upon reinitialization the VPN Router translates the journal file into a series of stop records on a per-session basis. This minimizes accounting data loss. A low interval creates system overhead and requires additional processing. The default interval is 00:10:00 (10 minutes).
-
Page 67: Configuring Dhcp Servers
When you configure both the DHCP server and DHCP relay on the same interface, the DHCP server takes precedence and the DHCP packets received by the VPN Router are processed by the DHCP server. For DHCP relay to be functional, you must disable the DHCP server for the interface on which the DHCP relay is configured. - Page 68 Enter the End Address for the range. Click OK. 12 Optionally, you can force the DHCP server to assign a fixed IP address to a host every time it logs in. You can do this with host reservations under the Host section. Click Add. NN46110-600...
-
Page 69: Configuring Remote User Ip Address Pool
IP address during tunnel setup. This address can come from an internal address pool, an external DHCP server,, a RADIUS server, or from an external LDAP proxy server. The VPN Router assigns the inner IP address from one of several sources, using the following order: user-specified (excluding IPsec) static address, either the VPN Router’s LDAP database, the RADIUS server,... - Page 70 Use the Remote User IP Address Pool window to select a method for users to obtain IP addresses to access the private network. The VPN Router services these addresses and they are available to remote users on demand. You can choose IP addresses assigned from one of the following: •...
- Page 71 VPN Router supports. Click Immediate Address Release if there are a limited number of available IP addresses and you want the VPN Router to release the IP address back to the DHCP server immediately. IP addresses from disconnected tunnel sessions remain unavailable for the time you specify (300 to 7200 seconds).
-
Page 72: Configuring Dhcp Relay
When a locally attached host issues a DHCP or BOOTP request as a broadcast message, the VPN Router relays the message to a specified DHCP or BOOTP server. The DHCP relay agent also forwards DHCP replies from server to client. -
Page 73: Configuring Ssl Administration
Relayed To Client—total number of packets forwarded to DHCP client(s) Configuring SSL administration The SSL administration feature enables secure management of the VPN Router over SSL-enabled HTTP (HTTPS) and is used over all tunnel and interface types. Remote management of a VPN Router requires only an SSL-enabled Web browser on the administrator's computer, which most operating systems include. -
Page 74: Figure 9 Ssl Administration
VPN tunnel. The Stateful Firewall applies only to HTTPS traffic routed through the device, not to the management IP address. The VPN Router uses HTTPS services for Firewall User Authentication (FWUA) and SSL-enabled administration. The following cipher combinations are available: •... -
Page 75: Browser Security Checks
Explicitly allow HTTPS if tunnel filters are enabled on the Profiles > Filters window for management through a VPN tunnel. • Install a valid server certificate on the VPN Router and applied to the SSL/ TLS services to authenticate and validate SSL connections. •... -
Page 76: Configuring Ssl/Tls And Configuring Http Services
In Internet Explorer, select Tools > Internet options > content > certificates > trusted root certification authority tab and select import. Import the root certificate that issued your VPN Router server certificate into the JRE certificate store. Note: To satisfy a further name check by Netscape browsers, make the VPN Router server certificate common name either a DNS name that resolves to the management IP address or the management IP address. -
Page 77: Figure 10 Https Services
(for example, CN=ces1, O=MyOrg, C=US). Figure 11 shows the SSLTLS window with select ciphers. Click Advanced Options and check the box if you do not want empty fragments for CBC ciphers inserted. Click Apply. Nortel VPN Router Security — Servers, Authentication, and Certificates... -
Page 78: Configuring Dns Servers
To test the SSL administration feature, direct an SSL-enabled Web browser to the private interface of the VPN Router. To use this service from the public side of the VPN Router, you must direct your browser to the public IP address. - Page 79 “Configuring DHCP servers” on page 57 page You can configure the VPN Router 1010, 1050, or 1100 as a DNS proxy, which means that it can act like a DNS server for any PC on the private network. The PCs are configured to send their DNS queries to the DNS proxy, which in turn passes the query to its set of true DNS servers.
- Page 80 For Fourth Server, enter an IP address for the fourth DNS server. If the preceding servers do not respond, service is requested of the fourth DNS server. Click OK. The VPN Router checks all of the DNS addresses to see if they respond and then provides an operational or error status. NN46110-600...
-
Page 81: Using Certificates
LDAP server SSL encryption Secure socket layer (SSL) provides Internet security and privacy and ensures privacy between the VPN Router and the external LDAP server. The SSL protocol negotiates encryption keys and authenticates the server before any data is exchanged. SSL maintains the transmission channels security and integrity through encryption, authentication, and message authentication codes. -
Page 82: Installing Ldap Certificates
After SSL authentication is established, the VPN Router authenticates itself to the directory server by presenting its LDAP bind DN and password. For the SSL connection to be successful, the VPN Router must trust the issuer of the certificate presented by the directory server during the initial SSL authentication. -
Page 83: Figure 12 Ldap Special Characters
Select System > Certificates. Select Enable Special Character Support for Subject DN. The default is disabled. Figure 12 shows the System > Certificates window with LDAP special characters enabled. Figure 12 LDAP special characters Nortel VPN Router Security — Servers, Authentication, and Certificates... -
Page 84: External Ldap Proxy
Configurable warning time for certificate expiration You can configure the VPN Router so that Health Check Certificates Validity sends a warning that a certificate is due to expire. You must enable SNMP traps, and Server Trap Configuration must include Certificates Validity, with the Send One parameter not checked. -
Page 85: Vpn Security Using Digital Certificates
The VPN Router supports RSA digital signature authentication for the IPsec IKE key management protocol. Remote users can authenticate themselves to the VPN Router using a public key pair and a certificate as credentials. The VPN Router uses its own key pair and certificate to authenticate the VPN Router to the user. -
Page 86: Generating A Server Certificate Request
Import the signed certificate request and click OK. Note: When you are using Entrust CA, this request must have a subject distinguished name with a common name that is equal to the Entrust reference number used to preauthorize the certificate issuance. NN46110-600... -
Page 87: Installing Server Certificates Using Cmp
IP address. Figure 13 shows a CMP environment. Figure 13 Sample CMP environment To initialize the VPN Router for initial certificate enrollment with CMP, you need the following: • Issuer name—CA distinguished name •... - Page 88 Relative, then enter the relative name details: Enter the common name associated with the VPN Router. b Enter the organizational unit associated with the VPN Router. Enter the organization associated with the VPN Router. d Enter the locality where the VPN Router resides.
-
Page 89: Installing Trusted Ca Certificates
Enter the organization associated with the VPN Router. d Enter the locality where the VPN Router resides. Enter the state or province where the VPN Router resides. Enter the country where the VPN Router resides. 11 Click Apply. 12 On the System > Certificates > Certificate Generation window, select Details. -
Page 90: Setting Certificate Parameters
Select Trusted if the certificate is trusted. For CA certificates, this indicates that tunnel requests presenting this issuer as the signer of their certificate are trusted. For server certificates, this is a method of turning off the certificate without deleting it. NN46110-600... - Page 91 Default Server Certificate is the Subject DN of the certificate that you want to use as the identity of the VPN Router when initiating or responding to a connection request associated with that group. Tunnel requests are bound to a particular group by the CA certificate that the remote party is presenting as the signer of its certificate.
-
Page 92: Trusted Ca Certificate Settings
If the subject DN of the certificate presented by the remote initiator of the tunnel is a user located on that VPN Router, then the group that the user is bound to is the one indicated in that user’s configuration. -
Page 93: Access Control By Subject Dn
This form of mapping incoming requests to groups allows the subject DN of incoming certificates to be parsed to a configured depth and associated with a corresponding group. During the client authentication process, the VPN Router tries to match the client’s certificate subject DN with all the associations of the CA. -
Page 94: Group And Certificate Association Configuration
This feature provides finer control for a user to associate a certificate with a group for IPsec tunnel connections. Each Certificate Authority user can set up a lookup table between the certificate subject DN and a VPN Router group. When a new tunnel using the certificate is authenticated, the VPN Router uses the certificate's subject DN to look up the group in the table. -
Page 95: Figure 14 Ca Key Update Ready For Authentication
CA certificate that issued the user certificate. The VPN Router can also verify that the user’s certificate is not revoked, because it was configured to periodically retrieve the latest CRL from the directory. It can authenticate that CRL because it has the CA certificate that signed it. -
Page 96: Configuring A Certificate Revocation List (Crl)
Authenticating the CRL presents a problem for the VPN Router at this point because it is signed by the updated CA certificate, and the VPN Router does not have that updated CA certificate locally to authenticate the CRL signature. The solution is to import the updated CA certificate into the VPN Router. -
Page 97: Configuring Crl Servers
The VPN Router can optionally use CRLs to verify the revocation status of user certificates. If enabled on the VPN Router, CRLs are periodically retrieved from the CA's LDAP directory store and cached in the VPN Router's associated LDAP database. This allows for rapid verification of user certificates during IPsec tunnel establishment. -
Page 98: Configuring Crl Retrieval Scheduling
CRL. The default value of 0 indicates that this VPN Router does not update any CRLs. This option is useful when more than one VPN Router shares an LDAP database, but you want only one VPN Router to actually perform the update operation. - Page 99 Select System > Certificates > CA Certificate: Details and click Manage CRL Servers. The Manage CRL Servers window has a list of currently Nortel VPN Router Security — Servers, Authentication, and Certificates Specifies the choices for the application of CRL Update as none, everyday, or on specific days.
-
Page 100: Crl Distribution Points
CRL distribution points (CDP) identifies how CRL vendor-specific information is obtained. It is supported for Entrust CAs. When implemented, users authenticate only against the CRL that is specified in the certificate CDP. This provides faster tunnel establishment. NN46110-600 Figure 15 is an example of CRL distribution points. -
Page 101: Figure 15 Crl Distribution Points
CRL instead of all available CRLs. Even if the list of CRLs is long, it does not affect performance of the VPN Router because only one CRL is used. If CRL checking is set to mandatory and CRLs are not present on the VPN Router, a request is made to CA LDAP to obtain only the CRL specified in the user's certificate CDP. -
Page 102: Crl Retrieval
Any changes that you made on the Authentication portion of the previous window are lost. Enter the local UID. This is the user ID of the local VPN Router that you are configuring. Enter the peer UID. This is the user ID of the remote VPN Router that you are configuring. -
Page 103: Identifying Individual Users With Certificates
Identifying individual users with certificates An alternative to allowing all users issued by a particular CA to gain access to the VPN Router is to identify users explicitly by certificate attributes. To create IPsec certificate credentials: Select Profiles > Users > Add User/Edit. -
Page 104: Identifying Branch Offices With Certificates
CA in the remote peer’s certificate hierarchy. The CA must have the trusted flag set on the Certificates window. If a CA hierarchy is used, you must import all intermediary CAs below the trusted CA to the VPN Router. These certificate authorities are NN46110-600... - Page 105 • Country—enter the country in which the user resides The local identity is the name of the VPN Router that you want to use to identify itself when initiating or responding to a connection request. You can use either a subject distinguished name (subject DN) or a subject alternative name to uniquely identify this system.
-
Page 106: L2Tp/Ipsec Authentication
L2TP/IPsec authentication In the Authentication section, complete the following information: Under Local UID, enter the user ID of the local VPN Router that you are configuring. Under Peer UID, enter the user ID of the remote VPN Router that you are configuring. -
Page 107: Index
RADIUS 42 class attributes RADIUS 46 client 23 CMP 77 CRL distribution points (CDP) 90 CRL retrieval 92 Nortel VPN Router Security — Servers, Authentication, and Certificates CRL server manage 89 CRL settings 87 CSFW 33 default group client authentication 83... - Page 108 33 server port number 90 LDAP proxy password management 36 user authentication 36 LDAP special characters 72 LDAP V2 servers 38 NN46110-600 Microsoft 39 Microsoft Active Directory 39 outer IP address 59 RADIUS 42 ports RADIUS accounting 56...
- Page 109 DN 82 synchronize RADIUS servers 31 technical publications 7 tokens card 43 security 23 trusted CA certificates 79 V3-compliant LDAP server 37 X.500 directory search base 90 X.509 certificates 17, 75 Nortel VPN Router Security — Servers, Authentication, and Certificates...
- Page 110 100 Index NN46110-600...