|
|
When a user connects to the VPN 5001 concentrator, the user is authenticated, and the VPN concentrator is informed that the user belongs to a particular VPN group.
Some authentication systems can authenticate and provide the VPN group. Others perform only one task, requiring you to use one system for authentication and one to provide the VPN group. You can use multiple systems for extra security or ease of configuration.
The following table shows each supported system and their capabilities:
| System | Authenticate | Provide VPN Group |
|---|---|---|
VPN 5000 concentrator | Yes | Yes |
RADIUS | Yes | Yes |
Axent Defender | Yes | Yes |
RSA Security SecurID | Yes | No |
Server-side PKI certificate system | Partial1 | No |
| 1A server-side PKI certificate system performs partial authentication in conjunction with another system, replacing the shared secret. |
The following sections describe how to configure each system and how you might use it in your network.
If your user list is small and easy to maintain, you can identify the users in the VPN 5000 concentrator configuration.
edit config VPN Users
 |
Note The edit config text editor allows you to add lines to the configuration exactly as entered. Unlike the configure configuration editor used elsewhere in this guide, you do not enter keywords and values. |
Step 2 Enter:
append 1
Adds a line after the section name and changes the prompt to Append>.
Step 3 (Optional) Add a comment by starting the line with a pound sign (#), and press the Enter key at the end of the comment to go to a new line.
Step 4 Enter a user:
"username" Config="VPN_group" [SharedKey="Shared_Secret"]
| Option | Description |
|---|---|
"username" | Identifies a unique user. It must be the same as the name entered in the user's client. The name can be between 1 and 60 alphanumeric characters, with spaces allowed. |
"VPN_group" | Specifies to which VPN group the user belongs according to the VPN Group section name. Do not enter spaces around the equals sign in Config=vpn_group. |
"Shared_Secret" | The password to authenticate the user with the concentrator and to enable packet encryption. Enter the same shared secret into the VPN 5000 Client. The Shared_Secret can be between 1 and 255 characters long. Do not enter spaces around the equals sign in SharedSecret=Shared_Secret. |
Step 5 Press the Enter key to go to a new line to add an additional user.
Step 6 After entering the last user, press the Enter key to go to a new line, enter a period (.) and press Enter.
Step 7 Enter the following command to exit the editor and keep your changes:
exit
Use quit to exit the editor without making any changes.
RADIUS or Axent Defender systems can authenticate users and inform the concentrator about the VPN group. You can use any system alone, or you can use a server-side PKI certificate system to provide extra authentication.
Defender is composed of both a server, which uses the RADIUS protocol, and a separate authentication device ("token") for each user. The user enters their PIN in the token, which generates a special one-time password that the user enters into the client. You can also use a RADIUS server with a SecurID system, which uses a PIN and token.
Defender requires VPN 5000 Client v4.2.x or later and server certificates.
To use either system, set up the VPN 5001 concentrator to communicate with the RADIUS server, and configure the server with the appropriate user settings according to the following sections.
| Command | Purpose | |||
|---|---|---|---|---|
Step 1 | configure Radius | Allows you to configure the Radius section. | ||
Step 2 | Authentication = On | Allows the concentrator to use a RADIUS server for authentication. | ||
Step 3 | BindTo = {Ethernet | WAN}
slot:port[.subinterface]
| Specifies which interface's IP address the concentrator uses as a source address for all packets sent to the RADIUS server. You must configure the RADIUS with this port's IP address. | ||
Step 4 | PrimAddress = {IP_Address |
Domain_Name}
| Sets the IP address or fully qualified domain name of the primary server. See the "Identifying a Domain Name Server" section to use a domain name. | ||
Step 5 | Secret = String | A shared secret used by the concentrator and RADIUS server to validate packets exchanged between them. This secret must match the secret configured in the RADIUS server. The string can be from 1 to 31 ASCII characters in length. | ||
Step 6 | Challengetype = {CHAP | PAP |
Challenge}
| Specifies which challenge type the RADIUS server uses to validate the client.
| ||
a. | PAPAuthSecret = String | If you set the Challengetype keyword to PAP, set a password for the VPN 5000 concentrator to authenticate and encrypt packets from the VPN 5000 client before they are passed on to the RADIUS server. Enter this Authentication Password in the client in addition to the RADIUS password. The string can be from 1 to 255 ASCII characters long. | ||
Step 7 | If you are not using a server certificate: VPNPassword = Number | This command specifies which attribute number that the RADIUS server assigns to the VPN password attribute. The default is 69. See "Installing Certificates on the Concentrator," for information about server certificates. | ||
Step 8 | VPNGroupInfo = Number | Specifies which attribute number that the RADIUS server assigns to the VPN group attribute. The default is 77. The value can be between 64 and 191. | ||
Step 9 | If the RADIUS server supplies client IP or IPX addresses, for each VPN group, enter: configure VPN Group name | Specifies the VPN group for which the server supplies IP addresses. | ||
a. | For IP: AssignIPRADIUS = On For IPX: AssignIPXRADIUS = On | Specifies whether a RADIUS server can be used to assign addresses to VPN users. For IPX, you can assign a range of networks that must be different from the destination network. For IP, you can assign addresses from a unique subnet or from a set-aside range on the destination network. See the description for StartIPAddress in "Authenticating VPN Users," for a description of how a set-aside range works. If you assign a unique IP subnet, you might want to assign a matching LocalIPNet in the VPN group to:
If you use LocalIPNet, set the RADIUS server to assign addresses only from the LocalIPNet.
|
To learn more about these and other settings, see the Radius section in the Cisco VPN 5000 Concentrator Series Command Reference Guide.
Configure the RADIUS server to communicate with the concentrator by specifying the concentrator IP address (equal to the Radius section BindTo IP address) as well as the shared secret (equal to the Radius section Secret string).
Table 8-3 lists the RADIUS attributes you need to define in the dictionary file to authenticate each user. See the documentation that came with your server for more information.
| Attribute Number | Attribute Name | Value Description |
|---|---|---|
1 | User-Name | The VPN user name. |
2 | User-Password | (For Challengetype = PAP) The user's RADIUS password. For Challengetype = Challenge, the concentrator sends a null password to the RADIUS server instead of requiring the client to enter a password. For a token-based system like Axent Defender, the RADIUS server then prompts the client with the text in attrinut 18 for the token password, which is also passed by this attribute. |
3 | CHAP-Password | For Challengetype = CHAP, the user's RADIUS password. |
18 | Reply-Message | A message or prompt sent to the client, such as the token string to enter into a token to produce the password. |
60 | CHAP-Challenge | The CHAP hash sent from the concentrator to the RADIUS server to authenticate the CHAP-Password. |
77 | Connect-Info1 | The name of the user's VPN group. If this attribute number is not available, use an available number, and change it on the concentrator using the VPNGroupInfo keyword. This value must be a String. |
69 | Tunnel-Password1 | (If you are not using a server certificate) The VPN password, also known as a shared secret. The shared secret is required to create the tunnel between the client and the concentrator. If this attribute number is not available, use an available number, and change it on the concentrator using the VPNPassword keyword. See "Installing Certificates on the Concentrator," for information about server certificates. This value must be a String. |
8 | Framed-IP-Address | |
23 | Framed-IPX-Network |
| 1You can use a vendor specific attribute instead of this one if your RADIUS server supports vendor specific attributes. |
SecurID comprises both a server, called the ACE/Server, and a separate token for each user. When the user logs in, they enter a password consisting of their PIN combined with a one-time code generated by the token. SecurID does not return the VPN group to the concentrator, so you must use SecurID with another system, for example:
You can also use either of the above combinations with a server-side PKI certificate system.
Set up the VPN 5001 concentrator to communicate with the ACE/Server, and configure the ACE/Server with user settings as described in the following sections.
With SecurID, the server portion of the system is the ACE/Server. The following steps describe how to configure the concentrator to communicate with the ACE/Server:
| Command | Purpose | |
|---|---|---|
Step 1 | configure SecurID | Allows you to configure the SecurID section. |
Step 2 | Enabled = On | Enables SecurID. |
Step 3 | EncryptionType = {DES | SDI}
| Selects the encryption algorithm for data exchanged between the concentrator and the ACE/Server.
|
Step 4 | PrimaryServer = IP_Address | Sets the IP address of the primary ACE/Server. |
Step 5 | BindTo = {Ethernet | WAN}
slot:port[.subinterface]
| Specifies which interface's IP address the concentrator uses as a source address for all packets sent to the SecurID server. You must also configure the ACE/Server with this port's IP address. |
Step 6 | For each group using the server: configure VPN Group name | Specifies the VPN group for which the ACE/Server is used. |
Step 7 | SecurIDRequired = On | Specifies that all users assigned to this VPN group undergo SecurID authentication. |
To learn more about these and other settings, see the SecurID section in the Cisco VPN 5000 Concentrator Series Command Reference Guide.
To configure the ACE/Server for communication with the VPN 5001 concentrator, see the guide that came with the server. Configure the concentrator as a communication server in the Client Type drop-down menu in the ACE/Server Add Client dialog box (under Client > Add Client).
The first time the concentrator contacts an ACE/Server, they exchange a secret based in part on the concentrator's IP address. If you change the concentrator IP address after initially connecting to the ACE/Server, the concentrator and server will no longer be able to communicate. To reestablish contact, deselect the Sent Node Secret checkbox on the ACE/Server Add Client dialog box, and enter the following command on the concentrator:
reset securid secret {IP_address | all}
Where IP_address resets the secret for a specific ACE/Server, and all resets the secrets for all ACE/Servers.
The VPN 5001 concentrator supports server-side certificates in conjunction with RADIUS, SecurID, or Defender to replace the shared secret.
See the "Introduction to Certificates" section for an overview of how certificates work.
To configure the VPN 5001 concentrator to use certificates, see "Installing Certificates on the Concentrator." To use certificates with the VPN 5000 Client v4.2.x, see the VPN 5000 Client User Guide for your platform.
Posted: Wed Sep 27 10:04:12 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.