User's Manual
authentication pre-share
Next, issue the following command in enable mode to configure client entries in the internal database:
(host)(config) #local-userdb add username <name> password <password>
Configuring Remote Access VPNs for XAuth
Extended Authentication (XAuth) is an Internet Draft that allows user authentication after IKE Phase 1
authentication. This authentication prompts the user for a username and password, with user credentials
authenticated with an external RADIUS or LDAP server or the controller’s internal database. Alternatively, the
user can start the client authentication with a smart card, which contains a digital certificate to verify the client
credentials. IKE Phase 1 authentication can be done with either an IKE preshared key or digital certificates.
Configuring VPNs for XAuth Clients using Smart Cards
This section describes how to configure a remote access VPN on the controller for Cisco VPN XAuth clients
using smart cards. (A smart card contains a digital certificate which allows user-level authentication without the
user entering a username and password.) IKE Phase 1 authentication can be done with either an IKE preshared
key or digital certificates; for XAuth clients using smart cards, the smart card digital certificates must be used
for IKE authentication. The client is authenticated with the internal database on the controller.
On the controller, you need to configure the following:
1. Add entries for Cisco VPN XAuth clients to the controller’s internal database, or to an external RADIUS or
LDAP server. For details on configuring an authentication server, see Authentication Servers on page 225.
For each client, you need to create an entry in the internal database with the entire Principal name (SubjectAltname
in X.509 certificates) or Common Name as it appears on the certificate.
2. Verify that the server with the client data is part of the server group associated with the VPN authentication
profile.
3. In the L2TP and XAUTH Parameters section of the Configuration > VPN Services > IPsec tab, enable
L2TP.
4. In the L2TP and XAUTH Parameters section of the Configuration > VPN Services > IPsec tab, enable
XAuth to enable prompting for the username and password.
5. The Phase 1 IKE exchange for XAuth clients can be either Main Mode or Aggressive Mode. Aggressive
Mode condenses the IKE SA negotiations into three packets (versus six packets for Main Mode). In the
Aggressive Mode section of the Configuration > VPN Services > IPsec tab, Enter the authentication
group name for aggressive mode to associate this setting to multiple clients. Make sure that the group
name matches the aggressive mode group name configured in the VPN client software.
6. Configure other VPNsettings as described in Configuring a VPN for L2TP/IPsec with IKEv2 in the WebUI on
page 346, while ensuring that the following settings are selected:
l In the L2TP and XAUTH Parameters section of the Configuration > VPN Services > IPSEC tab,
enable L2TP.
l n the L2TP and XAUTH Parameters section of the Configuration > VPN Services> IPSEC tab,
enable XAuth to enable prompting for the username and password.
n Define an IKE policy to use RSA or ECDSA authentication.
The following example describes the steps to use the command-line interface to configure a VPN for Cisco
Smart Card Clients using certificate authentication and IKEv1, where the client is authenticated against user
entries added to the internal database:
(host)(config) #aaa authentication vpn default
Dell Networking W-Series ArubaOS 6.4.x | User Guide Virtual Private Networks | 353