not be available to the IPsec client.
6. The Windows VPN client can now be configured as normal except that IPv6 must be
disabled for the connection because this is not supported.
Configuration of NetDefendOS
For the NetDefendOS configuration, the setup steps are as follows:
1. In NetDefendOS configure a Config Mode Pool object that will provide the IP addresses to
the connecting clients.
2. Add the same CA root certificate to the NetDefendOS along with a host certificate signed by
the root certificate.
3. Configure an IPsec Tunnel object that will be used for client connection.
4. Configure a RADIUS Server object in NetDefendOS that will be used for EAP authentication. It
is recommended to use an EAP method of MSCHAPv2
5. Configure an Authentication Rule object that will trigger on the connecting clients. The rule
should try to match the targeted traffic as closely as possible and should specify the Agent
property as EAP.
The details for the above NetDefendOS configuration steps can be found in the NetDefendOS
setup example found below.
RADIUS Server Setup
The following setup notes apply to a Microsoft Network Policy Server (NPS) and should be
adapted if another type of RADIUS server is being used. With an NPS, the following steps should
be performed:
1. Under NPS > Policies > Connection Request Policies, add a Connection Request Policy.
2. The Type of network access server should be set to Unspecified.
3. The Conditions part of the policy specifies any restrictions.
4. Under NPS > Policies > Network Policies, add a Network Policy with no restrictions.
5. Under Constraints, select Authentication methods and then choose an EAP method. All EAP
options are supported but EAP-MSCHAP v2 is recommended.
6. Select the NAS Port Type section of Constraints and disable all options.
7. Under RADIUS Clients, add the clients that will connect.
Example 9.9. IKEv2 EAP Client Setup
This example describes how to configure NetDefendOS to allow the setup of an IKEv2 IPsec
tunnel from a roaming client using EAP authentication. The default IKE and IPsec proposal lists
will be used.
The example assumed that the relevant certificates have been installed correctly in NetDefendOS
Chapter 9: VPN
716
To Next Page
Loading...
