User's Manual

ManualsBrandsDell ManualsComputer equipmentPowerConnect W-6000

351

352

353

354

355

356

357

358

359

360

Microsoft clients running Windows 7 (or later versions) support both IKEv1 and IKEv2. Microsoft clients using

IKEv2 support machine authentication using RSA certificates (but not ECDSA certificates or pre-shared keys)

and smart card user-level authentication with EAP-TLS over IKEv2.

Windows 7 clients without smart cards also support user password authentication using EAP-MSCHAPv2 or PEAP-

MSCHAPv2.

Working with Smart Card clients using IKEv2

To configure a VPN for Windows 7 clients using smart cards and IKEv2, follow the procedure described in

Configuring a VPN for L2TP/IPsec with IKEv2 in the WebUI on page 346, and ensure that the following settings

are configured:

l L2TP is enabled

l User Authentication is set to EAP-TLS

l IKE version is set to V2

l The IKE policy is configured for ECDSA or RSA certificate authentication

Working with Smart Card Clients using IKEv1

Microsoft clients using IKEv1 (including clients running Windows Vista or earlier versions of Windows) only

support machine authentication using a pre-shared key. In this scenario, user-level authentication is performed

by an external RADIUS server using PPP EAP-TLS, and client and server certificates are mutually authenticated

during the EAP-TLS exchange. During the authentication, the controller encapsulates EAP-TLS messages from

the client into RADIUS messages and forwards them to the server.

On the controller, you need to configure the L2TP/IPsec VPN with EAP as the PPP authentication and IKE policy

for preshared key authentication of the SA.

On the RADIUS server, you must configure a remote access policy to allow EAP authentication for smart card users

and select a server certificate. The user entry in Microsoft Active Directory must be configured for smart cards.

To configure a L2TP/IPsec VPN for clients using smart cards and IKEv1, ensure that the following settings are

configured:

1. On a RADIUS server, you must configure a remote access policy to allow EAP authentication for smart card

users and select a server certificate. The user entry in Microsoft Active Directory must be configured for

smart cards. (For detailed information on creating and managing user roles and policies, see Roles and

Policies on page 364.)

l Ensure that RADIUS server is part of the server group used for VPN authentication.

l Configure other VPN settings as described in Configuring a VPN for L2TP/IPsec with IKEv2 in the WebUI on

page 346, while selecting the following options:

n Select Enable L2TP

n Select EAP for the Authentication Protocol.

n Define an IKE Shared Secret to be used for machine authentication. (To make the IKE key global, specify

0.0.0.0 and 0.0.0.0 for both subnet and subnet mask.)

n Configure the IKE policy for Pre-Share authentication.

Configuring a VPN for Clients with User Passwords

This section describes how to configure a remote access VPN on the controller for L2TP/IPsec clients with user

passwords. As described previously in this section, L2TP/IPsec requires two levels of authentication: first, IKE

Dell Networking W-Series ArubaOS 6.4.x | User Guide Virtual Private Networks | 351