AutoKey IKE Gateway Advanced XAuth Settings

This section allows you to configure XAuth authentication methods.

Authentication: Select None, XAuth Server, or Xauth Client.

None: No XAuth authentication is performed.

XAuth Server: Select this feature to enable the security device to perform XAuth authentication, and set up the type of authentication:

Use Default

Select Use Default if you want the authentication to be done using the default XAuthauth server. To configure a default auth server for XAuth, see XAuth Default Settings.

Local Authentication

Select Local Authentication if you want the authentication to be done using the security device local database. Also select who can use this tunnel:

Allow Any: Select this option to allow all users configured on the authentication server.

User: Select a user from the drop-down list. For information on creating users, see Local User Configuration.

User Group: Select a user group from the drop-down list. For information on creating users, see Local User Group Configuration.

Allowed Authentication Type – CHAP Only: Select this option if you want the security device to use only Challenge Handshake Authentication Protocol to send a challenge (encryption key) to the remote client. (The remote client then uses the key to encrypt his or her login name and password.)

Note: If you do not select this option, the security device first attempts the negotiation using CHAP. If the negotiation fails, the security device then attempts the negotiation using PAP.

External Authentication

Select External Authentication if you want an external auth server—RADIUS, SecurID, LDAP— to perform the authentication. Also select who can use this VPN tunnel:

Query Remote Settings: (For RADIUS only) Select this option to get settings (such as DNS & WINS IP address) from the auth server.

Allow Any: Select this option to allow all users configured on the authentication server.

User: Select this option and enter the name of an external user.

User Group: Select this option and enter the name of an external user group.

Allowed Authentication Type – CHAP Only: Select this option if you want the security device to only use Challenge Handshake Authentication Protocol to send a challenge (encryption key) to the remote client. (The remote client then uses the key to encrypt his or her login name and password.)

Note: If you do not select this option, the security device first  attempts a negotiation using CHAP. If the negotiation fails, the security device then attempts a negotiation using PAP.

or

Bypass Authentication

Select Bypass Authentication if you want the security device to only assign IP, DNS server, and WINS server address assignments to the XAuth client and not perform authentication.

Accounting Server: (For RADIUS only) Select the external RADIUS accounting server from the drop-down list. By default, accounting is performed on the authentication server.

Accounting Off: (For RADIUS only) Select this option if you want to disable RADIUS accounting and perform authentication only.

XAuth Client: Select this feature to enable the security device to act as an XAuth client that responds to authentication requests from a remote XAuth server.

User Name: Enter the user name for client login.

Password: Enter the password for the client login.

Allowed Authentication Type – CHAP Only: Select this option if you want the security device to only use Challenge Handshake Authentication Protocol [CHAP to send a challenge (encryption key) to the remote client. (The remote client then uses the key to encrypt his or her login name and password.)

Note: If you do not select this option, the security device first attempts a negotiation using CHAP. If the negotiation fails, the security device then attempts a negotiation using PAP.