Client-Authentication - H3C MSR Series Command Reference Manual

− The automatic certificate request mode is configured for the PKI domain.
If the conditions are not met, you must manually obtain the CA certificate.
IKE first automatically obtains the CA certificate, and then requests a local certificate. If the CA
certificate already exists locally, IKE automatically requests a local certificate.
Examples
# Specify the PKI domain abc for IKE profile 1.
<Sysname> system-view
[Sysname] ike profile 1
[Sysname-ike-profile-1] certificate domain abc
Related commands
authentication-method
pki domain

client-authentication

Use client-authentication to enable client authentication.
Use undo client-authentication to disable client authentication.
Syntax
client-authentication xauth
undo client-authentication
Default
Client authentication is disabled.
Views
IKE profile view
Predefined user roles
network-admin
Parameters
xauth: Uses Extended Authentication within ISAKMP/Oakley (XAUTH) for authentication.
Usage guidelines
The client authentication feature provides additional authentication in IKE negotiation for secure
remote access to an IPsec VPN.
When networking an IPsec VPN for remote access, enable client authentication on the IPsec
gateway. During the IKE negotiation, the IPsec gateway uses a RADIUS server to authenticate the
remote users. Remote users who provide the correct username and password pass the
authentication and continue with the negotiation. This feature simplifies the configuration on the
IPsec gateway and ensures the validity of the remote users. If you do not use this feature, you must
configure an IPsec policy and an authentication password for each remote user, which is
time-consuming and difficult to maintain.
Examples
# Enable XAUTH client authentication.
<Sysname> system-view
[Sysname] ike profile test
[Sysname-ike-profile-test] client-authentication xauth
577