- Enterasys Security Router User's Guide

ManualsBrandsEnterasys Networks ManualsNetwork RouterSecurity Router X-PeditionTM

341

342

343

344

345

346

347

348

349

350

VPN Configuration Overview

14-26 Configuring the Virtual Private Network

AAA Commands

The following XSR AAA commands useful for VPN configuration include:

• Configure users and groups with

aaa user and aaa group commands as well as the

following sub-commands:

–

policy specifies SSH, Te ln et , Firewall or VPN service for users

–

dns-server and wins server configure the IP addresses of primary and secondary DNS

and WINS servers to distribute to remote access users and connecting XSRs.

–

ip pool associates a globally defined IP address pool (set with ip local pool) with a

user group. When a remote access user or XSR connects, an IP address is distributed from

this pool. Be aware that if an AAA user is configured to use a static IP address which

belongs to a local IP pool, you must exclude that address from the local pool.

–

pptp encrypt mppe configures Microsoft Point-to-Point Encryption on a PPTP link.

–

ip address and group set the IP address and usergroup assigned to the remote user.

• Configure RADIUS, local or PKI databases with the

aaa method command as well as the

following sub-commands:

–

acct-port sets the UDP port for accounting requests.

–

address specifies the RADIUS server address with either a host name or IP address.

–

attempts sets the total of consecutive, unanswered login attempts that must transpire

before the RADIUS method’s backup method is used.

–

auth-port specifies the UDP port for authentication requests.

–

enable activates the method.

–

group specifies the default usergroup.

–

hash enable initializes the hash algorithm used for RADIUS.

–

key sets the shared secret used between the XSR and RADIUS server.

–

retransmit specifies the number of RADIUS server retransmissions sent to a server

before timing out.

–

timeout sets the interval the XSR waits for the RADIUS server to reply before

retransmitting.

–

backup sets the name for the backup RADIUS method.

• Configure pre-shared keys with

aaa user and password

Configuring AAA

Pre-shared keys used in a Peer-to-Peer tunnel are configured using the aaa user command:

• The Username is the IP address of a peer

• The Password is the pre-shared key

To specify a user and password, enter the following commands:

XSR(config)#aaa user <xxx.xxx.xxx.xxx>

Caution: We recommend that you do not create more AAA users than permitted by the 1.5 MByte

system limit imposed on the

user.dat file. Doing so may render the XSR unstable and require

you to delete the file.