Introduction

RADIUS servers are often used to authenticate users for remote sites dialing-in over WAN connections (such as via PPP). Over time, conventional WAN connections increasingly gave way to secure (encrypted) and more cost-effective VPN connections. However, the structure of VPN connections over IPsec with IKE does not permit unidirectional authentication of users by RADIUS or similar technologies.

The Extended Authentication Protocol (XAUTH) provides the ability to extend authentication in the negotiation of IPsec connections by an additional level in which user data can be authenticated. An additional authentication with XAUTH user name and XAUTH password is performed between the first and second IKE negotiation phases. This authentication is protected by the encryption negotiated in advance. A RADIUS server can be used for this authentication, enabling existing RADIUS databases to continue to be used in the migration of dial-in clients to use VPN connections. Alternatively, authentication can use an internal user table of the device.

Important: In order make XAUTH particularly secure, dial-in via RSA-SIG (certificates) was to be used instead of the preshared key method (PSK) whenever possible. Here it is important to ensure that the VPN gateway accepts only the certificate of the correct remote site (and not all certificates issued by the same CA).

www.lancom-systems.com

LANCOM Systems GmbH | A Rohde & Schwarz Company | Adenauerstr. 20/B2 | 52146 Wuerselen | Germany | E‑Mail info@lancom.de

LANCOM Logo