WatchGuard Technologies SSL VPN Manual

next previous

Using RADIUS Servers for Authentication and Authorization

70 Firebox SSL VPN Gateway

•Type is the vendor-assigned attribute number.

• Attribute name is the type of attribute name that is defined in IAS. The default name is

CTXSUserGroups=.

• Separator is defined if multiple user groups are included in the RADIUS configuration. A separator

can be a space, a period, a semicolon, or a colon.

To configure IAS so the Firebox SSL VPN Gateway can use RADIUS authorization, follow the steps below.

These steps assume that IAS is installed from the Add/Remove Programs Control Panel. For more infor-

mation about installing IAS, see Windows Help.

To configure Microsoft Internet Authentication Service for Windows 2000 Server

1 Open the Microsoft Management Console (MMC) by clicking Start > Run.

2In Open, type MMC.

3 In the MMC console, on the File menu, click Add/Remove Snap-in.

4Click Add and in the Add/Remove Snap-in dialog box, select Internet Authentication Service

and click Add.

5 Select Local computer and click Finish.

6Click Close and then click OK.

7Right-click Remote Access Policies and then click New Remote Access Policy.

8 Select Set up a custom policy.

9In Policy name, give the policy a name and click Next.

10 Under Policy Conditions, click Add, select Windows-Groups, and click Add.

11 In Select Groups, click Add, and then type the name of the group.

12 A summary of conditions to match the policy is shown. To add more conditions, click Add,

otherwise, click Next.

13 In the Edit Dial-In Profile dialog box, on the Authentication tab, select Encrypted

Authentication (CHAP) and Unencrypted Authentication (PAP, SPAP).

Note

Password Authentication Protocol (PAP) is an authentication protocol that allows Point-to-Point

Protocol (PPP) peers to authenticate one another. PAP passes the password and host name or user name

unencrypted. PAP does not prevent unauthorized access but identifies the remote end.

14 Clear Microsoft Encrypted Authentication version 2 (MS-CHAP v2) and Microsoft Encrypted

Authentication (MS-CHAP).

15 Click OK.

The Firebox SSL VPN Gateway needs the Vendor-Specific Attribute to match the users defined in the group on the

server with those on the Firebox SSL VPN Gateway. This is done by sending the Vendor-Specific Attributes to the

Firebox SSL VPN Gateway.

16 In the Edit Dial-in Profile dialog box, click the Advanced tab.

17 Click Add.