Downloads   Registration   Customer Service    Service Offerings    Discussion Forums    Support Home    NETGEAR Home    
Using XAUTH and RADIUS with ProSafe Firewalls

Using XAUTH and RADIUS with ProSafe™ VPN Firewalls

This describes how to use the XAUTH and RADIUS to manage the authentication of many remote VPN clients to a NETGEAR ProSafe VPN Firewall.

XAUTH and RADIUS

When connecting many VPN clients to a VPN gateway router, administrators probably want user authentication beyond a single, common preshared key for all clients. Although administrators could configure a unique VPN policy for each user, it would be convenient if the VPN gateway router authenticated users from a stored list of user accounts. XAUTH provides the mechanism for requesting individual authentication information from the user, and RADIUS allows storing the authentication information centrally in the local network. Alternatively, the list of user accounts can be stored in the router itself, in a user database.

RADIUS (Remote Authentication Dial-In User Service, RFC 2865) is a protocol for managing the Authentication, Authorization and Accounting (AAA) of multiple users in a network. A RADIUS server stores a database of user information, and can validate a user at the request of a gateway or server in the network when a user requests access to network resources.

While a VPN connection is being made, the VPN gateway can interrupt the process with an XAUTH (eXtended AUTHentication) request. At that point the remote user must provide authentication information such as a username/password or some encrypted response using his username/password information. The gateway can verify this information either against a local database or by relaying the information to a central authentication server such as a RADIUS server.

Applicability

This application note applies to these models and firmware (or later firmware):

Model Firmware
FVX538 1.6.38
FVS338 1.6.35

This procedure was tested using:

  • A NETGEAR FVS338 ProSafe VPN Firewall with version 1.6.35 firmware
  • NETGEAR ProSafe VPN Client software version 10.5.1 (Build 8)

Obtaining a RADIUS Server

Many popular, free commercial RADIUS Server implementations are available, for example:

The RADIUS client of the ProSafe VPN Firewalls were tested with FreeRADIUS and Microsoft IAS. However, choosing and configuring a RADIUS Server is beyond the scope of this note. NETGEAR does not recommend any specific server. Refer to vendor documentation.

Configuring the Router for XAUTH

Begin with a working configuration of IKE and VPN policies, then add XAUTH in the IKE Policy menu. XAUTH can be selected in the IKE Policies menu, and can be configured in two modes:

  • IPsec Host — a client, who requests to be authenticated.
  • Edge Device — a server, who verifies authentication of clients.

When the router functions as an IPsec Host, it attempts to authenticate an outgoing connection using the entered username and password.

When the router functions as an edge device, it attempts to authenticate incoming connections first using the user account information in the User Database menu. If no match is found, it attempts to contact the RADIUS Server if such a server is configured in the RADIUS Client menu.

  1. Go to the IKE Policies menu and click Edit to add XAUTH to a working IKE policy.
  2. Under the X AUTHENTICATION section, select Edge Device.
  3. For Authentication Type, select Generic to use PAP, otherwise select CHAP. If you are using RADIUS, this setting must also be configured at your RADIUS Server. PAP is more universally compatible, but CHAP is more secure.
  4. Click Apply.

  5. Next, configure your router to authenticate locally or using an external RADIUS Server. The router first attempts to authenticate incoming connections using the user account information in the User Database menu. If no match is found, it attempts to contact the RADIUS Server if such a server is configured in the RADIUS Client menu.

Configuring the Router for Authentication using the Local User Database

Whether or not you use an external RADIUS Sever, you may want some users authenticated locally. These users must be added to the User Database menu as follows:

  1. Go to the User Database menu and click Add to add a user to the local database.
  2. Enter the User Name and Password for the user to be added.
  3. Click Apply.

Configuring the Router for Authentication using a RADIUS Server

In the Radius Client menu, you configure a primary and backup RADIUS Server for user authentication. The router's RADIUS Client first contacts the Primary Server. If the Primary Server does not respond, the Client contacts the Backup Server.

For the Primary and Backup Server enter:

  • Server Address — The IP address of the RADIUS Server.
  • Auth port — RADIUS Server Authentication Port number. For authenticating users, the RADIUS Client will use this protocol port to communicate with the Authentication process in the RADIUS Server. In most cases the default port number should work.
  • Acct port — The protocol port number that connects to the Accounting process in the RADIUS Server. In most cases the default port number should work.
  • Secret Phrase — Transactions between the RADIUS Client and RADIUS Server are authenticated using a shared secret. This Secret Phrase must be configured identically on the RADIUS Client and RADIUS Server.
  • NAS Identifier — This router is acting as a NAS (Network Access Server), allowing network access to external users after verifying their authentication information. In a RADIUS transaction, the NAS must provide NAS Identifier information to the RADIUS Server. Depending on the configuration of the RADIUS Server, the router's IP address may be sufficient as an identifier, or the Server may require a name, which you would enter here. This name would also be configured on the RADIUS Server, although in some cases it should be left blank on the RADIUS Server.

Click Apply to save the configuration.

NOTE: In our testing using Windows IAS, the NAS Identifier needed to be left blank in the Windows IAS configuration. Also, the Authentication Type (set in the IKE Policy menu) needed to be Generic (PPP).

Configuring the NETGEAR ProSafe VPN Client for XAUTH

Starting with a working configuration of the NETGEAR ProSafe VPN Client, only one additional configuration setting is required to add XAUTH:

  1. Click Authentication and select Proposal 1. Use the values that match your configuration of the VPN router's IKE menu.
  2. For Authentication Method, select Pre-Shared Key; Extended Authentication.
  3. Click the floppy disk button icon to save the Security Policy.

Testing the Connection

  1. Right-click the VPN client icon in the Windows toolbar and select Connect, then My Connections\<connection name>.

  2. In seconds, a login window appears.
  3. When you submit the correct login information, the message "Successfully connected to My Connections\<connection name>" displays and the VPN client icon in the toolbar reads On.
  4. From the client PC, test by pinging a computer on the VPN router's LAN.

For status and troubleshooting, right-click the VPN client icon in the Windows toolbar and select "Connection Monitor" or "Log Viewer", or view the VPN log and status menu in the VPN router.

Doc: N101493.asp July 1, 2005

  
   


Support Knowledgebase
Manuals
Sales and Company Information
                © 1998-2006 NETGEAR | Contact Us | Configure Your Network | Home