Table of Contents
Advertisement
Network and Security Manager Administration Guide
556
Configuring Remote Access Service (RAS) Users
For VPNs that support RAS users, you must create a user object to represent each user.
NSM supports two types of users:
Local Users—A local user has an account on the security device that guards the
protected resources in the VPN. When a local user attempts to connect to a protected
resource, the security device authenticates the user.
External Users—An external user has an account on RADIUS or SecureID Authentication
Server. When an external user attempts to connect to a protected resource, the security
device forwards the request to the authentication server for authentication.
Authenticating RAS Users
You can authenticate/encrypt a RAS user using one or more of the following protocols:
XAuth—Uses IPSec ESP and a username and password for authentication. XAuth RAS
users must authenticate with a username and password when they connect to the
VPN tunnel.
AutoKey IKE—Uses IPSec ESP and AH for encryption and authentication. AutoKey IKE
users have a unique IKE ID that NSM uses to identify and authenticate the user during
IKE Phase I negotiations. To simplify RAS management for large numbers of AutoKey
IKE users, you can also create AutoKey IKE groups that use a shared Group IKE ID.
NOTE: We strongly recommend that you do not use null AH with ESP.
L2TP—Uses Password Authentication Protocol (PAP) and Challenge Handshake
Authentication Protocol (CHAP) for authentication (password sent in the clear).
Manual Key IKE—Uses IPSec ESP and AH for encryption and authentication. Because
manual key users are device-specific, you create them in the security device
configuration, not in the Object Manager. For details on creating manual key users, see
the Network and Security Manager Configuring ScreenOS and IDP Devices Guide.
NSM allows certificate with DC in certificate DN to be used for dialup user IKE ID selection.
When you use certificate DN as dialup user IKE ID, the following takes place:
On the device sever, a partial or whole DN is associated with a VPN configuration.
On the client side, the certificate DN is sent as IKE ID for the server to match the VPN
configuration based on the content of DN.
The server DN configuration can contain a container part and a wildcard part as follows:
The container part contains a continuous section of the DN; for example, "OU=a,O=b"
. Any DN containing all specified elements in correct order are accepted.
Up to seven wildcards can be specified, one for each of the following element: CN, OU,
O, L, ST, C, Email.
Copyright © 2010, Juniper Networks, Inc.
Advertisement
Table of Contents
