361| Virtual Private Networks AOS-W 6.5.3.x| User Guide
transform-set <transform-set-name> esp-3des|esp-aes128|esp-aes128-gcm|esp-aes192|esp-
aes256|esp-aes256-gcm|esp-des esp-md5-hmac|esp-null-mac|esp-sha-hmac
Configuring a VPN for Smart Card Clients
This section describes how to configure a remote access VPN on the switch for Microsoft L2TP/IPsec clients
with smart cards, which contain a digital certificate allowing user-level authentication without requiring the user
to enter a username and password. As described earlier in this chapter, L2TP/IPsec requires two levels of
authentication: IKE SA (machine) authentication and user-level authentication with an IKEv2 or PPP-based
authentication protocol.
Microsoft clients running Windows 7 (and later versions) support both IKEv1 and IKEv2. Microsoft clients using
IKEv2 support machine authentication using RSA certificates (but not ECDSA certificates or pre-shared keys)
and smart card user-level authentication with EAP-TLS over IKEv2.
Windows 7 (and later version) clients without smart cards also support user password authentication using EAP-
MSCHAPv2 or PEAP-MSCHAPv2.
Working with Smart Card clients using IKEv2
To configure a VPN for Windows 7 (and later version) clients using smart cards and IKEv2, follow the procedure
described in Configuring a VPN for L2TP/IPsec with IKEv2 on page 356, and ensure that the following settings
are configured:
n L2TP is enabled
n User Authentication is set to EAP-TLS
n IKE version is set to V2
n The IKE policy is configured for ECDSA or RSA certificate authentication
Working with Smart Card Clients using IKEv1
Microsoft clients using IKEv1, including clients running Windows Vista or earlier versions of Windows, only
support machine authentication using a pre-shared key. In this scenario, user-level authentication is performed
through an external RADIUS server using PPP EAP-TLS, and client and server certificates are mutually
authenticated during the EAP-TLS exchange. During the authentication, the switch encapsulates EAP-TLS
messages from the client into RADIUS messages and forwards them to the server.
On the switch, you must configure the L2TP/IPsec VPN with EAP as the PPP authentication and IKE policy for
preshared key authentication of the SA.
On the RADIUS server, you must configure a remote access policy to allow EAP authentication for smart card users
and select a server certificate. The user entry in Microsoft Active Directory must be configured for smart cards.
To configure an L2TP/IPsec VPN for clients using smart cards and IKEv1, ensure that the following settings are
configured:
1. On a RADIUS server, a remote access policy must be configured to allow EAP authentication for smart card
users and to select a server certificate. The user entry in Microsoft Active Directory must be configured for
smart cards. (For detailed information on creating and managing user roles and policies, see Roles and
Policies on page 375.)
n Ensure that the RADIUS server is part of the server group used for VPN authentication.
n Configure other VPN settings as described in Configuring a VPN for L2TP/IPsec with IKEv2 on page 356,
while selecting the following options:
To Next Page
Loading...