363| Virtual Private Networks AOS-W 6.5.3.x| User Guide
In the CLI
The following example uses the command-line interface to configure a L2TP/IPsec VPN for
username/password clients using IKEv1:
(host)(config) #vpdn group l2tp
enable
ppp authentication pap
client dns 101.1.1.245
(host)(config) #ip local pool pw-clients 10.1.1.1 10.1.1.250
(host)(config) #crypto isakmp key <key> address 0.0.0.0 netmask 0.0.00
(host)(config) #crypto isakmp policy 1
authentication pre-share
Next, issue the following command in enable mode to configure client entries in the internal database:
(h
ost
)(c
onfi
g)
#l
oca
l-u
serd
b
a
dd
us
erna
me
<n
ame
>
pa
ssw
ord
<pas
swo
rd>
Configuring Remote Access VPNs for XAuth
Extended Authentication (XAuth) is an Internet Draft that permits user authentication after IKE Phase 1
authentication. This authentication prompts the user for a username and password, in which user credentials
are authenticated through an external RADIUS or LDAP server or the switch’s internal database. Alternatively,
the user can initiate client authentication using a smart card, which contains a digital certificate to verify the
client credentials. IKE Phase 1 authentication can be done with either an IKE preshared key or digital
certificates.
Configuring VPNs for XAuth Clients using Smart Cards
This section describes how to configure a remote access VPN on the switch for Cisco VPN XAuth clients using
smart cards. Smart cards contain a digital certificate, allowing user-level authentication without the user
entering a username and password. IKE Phase 1 authentication can be done with either an IKE preshared key
or digital certificates; for XAuth clients using smart cards, the smart card digital certificates must be used for IKE
authentication. The client is authenticated with the internal database on the switch.
On the switch, you must configure the following:
1. Add entries for Cisco VPN XAuth clients to the switch’s internal database, or to an external RADIUS or LDAP
server. For details on configuring an authentication server, see Authentication Servers on page 178.
For each client, you need to create an entry in the internal database with the entire Principal name (SubjectAltname
in X.509 certificates) or Common Name as it appears on the certificate.
2. Verify that the server with the client data is part of the server group associated with the VPN authentication
profile.
3. In the L2TP and XAUTH Parameters section of the Configuration > VPN Services > IPsec tab, enable
L2TP.
4. In the L2TP and XAUTH Parameters section of the Configuration > VPN Services > IPsec tab, enable
XAuth to enable prompting for the username and password.
5. The Phase 1 IKE exchange for XAuth clients can be either Main Mode or Aggressive Mode. Aggressive
Mode condenses the IKE SA negotiations into three packets (versus six packets for Main Mode). In the
Aggressive Mode section of the Configuration > VPN Services > IPsec tab, enter the authentication
group name for aggressive mode to associate this setting to multiple clients. Make sure that the group
name matches the aggressive mode group name configured in the VPN client software.
To Next Page
Loading...