Policy-Based Vpn Creation Using Remote Access Server Users Overview; Authenticating Ras Users - Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01 Manual

Policy-Based VPN Creation Using Remote Access Server Users Overview

Authenticating RAS Users

Table 51: Authenticating RAS Users
Protocols Description
XAuth Uses IPsec ESP and a username and password for authentication. XAuth RAS users must authenticate
with a username and password when they connect to the VPN tunnel.
AutoKey IKE Uses IPsec ESP and AH for encryption and authentication. AutoKey IKE users have a unique IKE ID
that NSM uses to identify and authenticate the user during IKE Phase I negotiations. To simplify RAS
management for large numbers of AutoKey IKE users, you can also create AutoKey IKE groups that
use a shared group IKE ID.
L2TP Uses Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol
(CHAP) for authentication (password sent in the clear).
Manual Key IKE Uses IPsec ESP and AH for encryption and authentication. Because manual key users are
device-specific, you create them in the security device configuration, not in the Object Manager. For
details on creating manual key users, see "L2TP and Xauth Local Users Configuration Overview" on
page 247.
Copyright © 2010, Juniper Networks, Inc.
For VPNs that support RAS users, you must create a user object to represent each user.
NSM supports two types of users:
Local Users—A local user has an account on the security device that guards the
protected resources in the VPN. When a local user attempts to connect to a protected
resource, the security device authenticates the user.
External Users—An external user has an account on RADIUS or SecureID authentication
server. When an external user attempts to connect to a protected resource, the security
device forwards the request to the authentication server for authentication.
The topic includes:
Authenticating RAS Users on page 213
Configuring Group IKE IDS on page 214
You can authenticate or encrypt a RAS user using one or more of the following protocols.
Table 51 on page 213 describes the various protocols:
We strongly recommend that you do not use null AH with ESP.
NSM allows certificate with DC in certificate DN to be used for dial-up user IKE ID selection.
When you use certificate DN as dialup user IKE ID, the following takes place:
On the device sever, a partial or whole DN is associated with a VPN configuration.
On the client side, the certificate DN is sent as IKE ID for the server to match the VPN
configuration based on the content of DN.
Chapter 7: Planning and Preparing VPNs
213