Question/Issue:
This document provides a general introduction to extended authentication as used with Internet Protocol Security/Internet Key Exchange (IPSec/IKE) Virtual Private Networks (VPNs). This document is provided for your reference and general education. If you need more technical details, see the links in the References section of this document.
Solution:
IPSec/IKE refers to a suite of protocols that is used to provide a secure connection between two computers or networks. The primary authentication methods available with Symantec VPN servers are simple shared secrets or X.509 digital certificates (the X.509 certificate standard is beyond the scope of this document, see the links in the References section of this document for more information). For sites where there is a central user database, you can configure the VPN server to query the user database for extended authentication. For administrators, this gives the convenience of not needing to define and maintain another user database for VPN users. Administrators need only add existing users into a VPN users group and configure the gateway to allow access to members of this group.
Extended authentication also aids end-users by removing the need for an extra user name and password combination. The client only needs to provide the user name and shared secret when configuring the tunnel for the VPN client, the user name and password used when connecting the tunnel are the same user name and password used for authentication to other network resources.
When a user attempts to authenticate, the gateway looks for that user name in its own user database. If it does not find the user there, the gateway uses the shared secret from the VPN client tunnel configuration. This shared secret must match the secret that is defined on the security gateway. The gateway then starts extended authentication and prompts the user for whatever information the extended authentication server requires (such as a user name/password, a generated one time key, or some other supported credential). The server authenticates the user and returns a status message to the security gateway. If the user's credentials are rejected, the gateway does not allow the connection. If they are valid, the authentication server may send back other information such as the user group in which that user was found. The security gateway evaluates the status message, and verifies that the group matches one of the client tunnels. If everything is correct, the client tunnel is established and the user is given access.
Symantec VPN gateways support a variety of extended authentication methods and protocols for extended authentication as shown in the following table:
 SOHO/Branch Office Gateways | RADIUS | TACACS+ | LDAP | Defender | SecurID | S/Key | Entrust PKI | NT Domain | MS Active Directory |
Symantec Gateway Security 300 Series | YES | NO | NO | NO | NO | NO | NO | NO | YES* |
Symantec Firewall/VPN appliance (100, 200, 200R) | NO | NO | NO | NO | NO | NO | NO | NO | NO |
| | | | | | | | | |
Enterprise Gateways | | | | | | | | | |
Symantec Gateway Security 3.0x Series | YES | NO | YES | YES | YES | NO | YES | NO | YES* |
Symantec Gateway Security 2.0x Series | YES | YES | YES | YES | YES | YES | YES | NO | YES* |
Symantec Gateway Security 1.0 (5100, 5200, 5300 Series) | YES | YES | YES | YES | YES | YES | YES | NO | YES* |
Symantec VelociRaptor | YES | YES | YES | YES | YES | YES | YES | NO | YES* |
Symantec Enterprise Firewall/VPN for Windows | YES | YES | YES | YES | YES | YES | YES | YES | YES* |
Symantec Enterprise Firewall/VPN for Solaris | YES | YES | YES | YES | YES | YES | YES | NO | YES* |
References:
For information on the X.509 standard, see the Public-Key Infrastructure (X.509) (pkix) Charter and supporting documentation.
Further information on IKE and ISAKMP is available in RFC 2409 - The Internet Key Exchange (IKE) and RFC 2408 - Internet Security Association and Key Management Protocol (ISAKMP).
Available Translations:
Document ID: 2004041909504554
Last Modified: 07/17/2009
Date Created: 04/19/2004
Product(s): Symantec Clientless VPN Gateway 4400 Series, Symantec Enterprise Firewall 7.x, Symantec Enterprise Firewall 8.x, Symantec Gateway Security 5000 Series 3.0, Symantec Gateway Security 5000 Series v3.0.1, Symantec Gateway Security Appliance 1.0, Symantec Gateway Security Appliance 2.0, Symantec VelociRaptor 1.1, Symantec VelociRaptor 1.5
Release(s): 5620, 5640, 5660, Symantec Clientless VPN Gateway 5.0, Symantec Enterprise Firewall 7.0, Symantec Enterprise Firewall 7.04, Symantec Enterprise Firewall 8.0, Symantec Gateway Security Appliance 1.0, Symantec Gateway Security Appliance 2.0 [All Releases], Symantec VelociRaptor 1.1, Symantec VelociRaptor 1.5
PRINT THIS PAGE
RATE THIS PAGE