Title: Netscreen Remote XAuth VPN Document Number: VPN-400-002 Version: 1.1 OS Ver. this Paper Applies to: 4.0 and above Remote Software: 5.0 and above HW Platforms this Paper Applies to: Netscreen 5xp,5xt,25,50,204,208,500,and 5200 Audience (Internal or External): External Netscreen Remote VPN To Netscreen Device With XAuth Introduction NetScreen has implemented Extended Authentication (XAuth) into ScreenOS 4.0 to incorporate with Netscreen Remote Client. Xauth is available in all the hardware platforms that run on ScreenOS 4.0.0 or higher. It is supported in Netscreen Remote Client versions 5.0 through 8.0 Scenario NetScreen has implemented XAuth to allow another layer of authentication for VPN between a Remote Client and a Netscreen VPN Device. This negotiation takes please after the first phase of the IPSEC. You may verify authentication to the Netscreen Device s local authentication database, radius, Secure ID, and LDAP server. You may as before use groups to combine the dial-up users or use individual dial-up users. You cannot use the group function if you are using Secure-ID or a LDAP server. Configuration 1. The first step in configuring XAuth, is to configure the IP Pool for the XAUTH users. You must select Objects>IP Pools. You must then enter an IP pool that is different than any other assigned address on the Netscreen device. Page 1 of 12
2. You must configure the user or users in the user section. You may choose to do groups in this section. If you decide to use user groups, you will not be able to use a LDAP server or Secure-ID server for external authentication. You must select XAuth User and enter a password. Under the L2TP/ XAuth Remote Settings you may choose to setup the user only to use the primary and secondary DNS IPs, primary and secondary WINS IPs. You may also decide to use an IP Pool that you setup in the previous step or enter a static IP address. The static IP address will override the IP Pool if both were selected at the same time. If you do not select any settings under the L2TP / XAuth Remote Settings, you will default to the XAuth server settings and the IP Pool that you created in the previous step. Page 2 of 12
3. In this step you must configure the XAUTH server. To get to the XAuth server, you must click VPNS>AutoKey Advanced>XAuth Settings. I you decide to use External Authentication use a third party server such as Radius, Secure-ID or LDAP then you must configure go to configuration>auth>auth Servers. If you decide to use the default Local Authentication Database on the Netscreen, then you must select the IP Pool that you are going to use for the XAuth users under IP Pool Name, enter the appropriate IP addresses for DNS and WINS. The other settings in this page are used for external authentication servers. Reserve Private IP for XAuth User is used to enter the length of time (in minutes) during which, after the initial session ends, you can begin another session without being prompted to log on again. Query Client Settings on Default Server is used when you configured XAuth to perform address assignment as well as authentication. In this case, the authentication server returns an IP address and other settings (such as DNS and WINS IP addresses) to the user upon successful authentication. Page 3 of 12
This section is only for the configuration of external authentication servers. You may have two back up authentication servers here. You can use the authentication Account Type to choose the authentication server to perform more than two functions each except for Admin. Note: If using Funk RADIUS server to support such NetScreen-specific attributes as admin privileges, user groups, and remote L2TP and XAuth IP address, and DNS and WINS server address assignments, you must load the Funk dictionary file (netscreen.dct) that defines these attributes onto the RADIUS server. If using Cisco ACS Radius, load the Cisco dictionary file (NSRadDef2.ini). A dictionary file defines vendor-specific attributes (VSAs) that you can load onto a RADIUS server. After defining values for these VSAs, NetScreen can then query them when a user logs in to the NetScreen device. NetScreen VSAs include admin privileges, user groups, and remote L2TP and XAuth IP address, and DNS and WINS server address assignments. For further information on the Authentication servers, please look into the C&E guide or the help menu on the Netscreen authentication page. 4. To get to this page you must go to VPN>AutoKey Advanced>Gateway. Enter a Gateway Name, select custom for the Security Level, select dialup User, scroll down until you find the xauthuser, enter the pre-shared key, select should be the interface that you are exiting out of, and select advanced, continue on to the next window. Page 4 of 12
Select custom for the security level, select your desired encryption level, select aggressive mode, if you are behind a NAT device play select Enable NAT-Traversal, continue on to the next window. Select Enable XAuth. Select Use Default if you are going the local global XAuth settings. If you are going to use groups of users or the local to allow a more specific identification for the users and the group users, then you can select Local Authentication or External Authentication (Radius, Secure-ID, LDAP). Secure-ID and LDAP does not Page 5 of 12
support User groups at this time. You may select CHAP to allow added security between the External servers and the Netscreen, click on Return, and click on OK. 5. Select Autokey IKE, enter a VPN Name, select custom, select Predefined then select Gateway that you created in the previous section, click on Advanced. Select Custom, select the desired encryption level (except for AES) Phase 2 Proposal, click on return, and then OK. Page 6 of 12
6. Go to the policy section, select from the Untrust zone to the Trust zone, select new 6. For the Source Address select Dial-Up VPN. For the Destination Address Select the Internal Address. If you have not entered the internal address, you can enter the address in the New Address section. Select the desired Page 7 of 12
Service or select ANY for all services. Select Tunnel for the Action, select the VPN that created in the previous step, select Position at Top to place this policy at the top. You do not have to do any other configurations in this page unless you need additional authentication. Click OK 7. You must now go to the Security Policy for the Netscreen Remote Client. Select IP Subnet under ID Type, enter in the internal IP Subnet and Netmask, Select Connect using then select Secure Gateway Tunnel, under ID Type select IP Address then enter the untrusted interface IP address of the Netscreen device. 8. Select My Identity, Under ID Type select E-mail Address, enter the email address that you entered for the User in the User section of the Netscreen. Click on the Pre-Shared Key button, click on the enter button, enter the pre-shared key that you entered in the Gateway section for this VPN and click OK. Page 8 of 12
9. Select Security Policy, select Aggressive Mode, you have an option to select Enable Perfect Forward Secrecy (PFS) or Enable Replay Detection. This will applied in the first phase. 10. Click on the Authentication (Phase 1) then click on Proposal 1, under the Authentication Method Select Pre- Shared Key; Extended Authentication, select the desired encryption for the Encrypt Alg and Hash Alg and Key Group. Page 9 of 12
11. Click on Key Exchange (Phase 2), click on Proposal 1 enter the desired encryption level or the second phase which was the AutoIke Key in the Netscreen device. Select File then click on Save Changes. The configuration is now complete. Page 10 of 12
12. To test this the XAuth configuration, please ping a device on trust zone. You should be prompted for a username and password. The username and password should be the user that you created in the user section for XAuth. 13.You can verify the Xatuh defult settings through the CLI by entering the following; ns208(m)-> get xauth default XAUTH Default Setting Info: Auth. DB Location : s1 (query settings) Auth type: SecurID IP Pool Name : px2 Remote Primary DNS : 198.6.1.3 Remote Secondary DNS : 198.6.1.4 Remote Primary WINS: 10.150.20.43 Remote Secondary WINS: 10.100.3.110 ns208(m)-> ns208(m)-> get ike gateway gg Id Name Gateway IP Gateway ID Mode Preshr Key Proposals ---- --------------- --------------- --------------- ---- ------------- ----- ---- 2 gg u1 Aggr 12345678 p1.xauth... ----------- XAUTH Config ------------- XAUTH Server enabled. Authentication: Use Default Config allow any xauth user ----------- XAUTH Activity ----------- login: <x1> on 2002-05-26 21:21:47 GWIP: 10.150.59.70 IP: 4.5.6.9 DNS1: 198.6.1.3 DNS2: 198.6.1.4 WINS1: 10.150.20.43 WINS2: 10.100.3.110 ns208(m)-> get ike gateway Page 11 of 12
Id Name Gateway IP Mode Preshr Key Proposals ---- --------------- --------------- ---- ---------------- --------------- 0 g1 0.0.0.0 Main 12345678 pre-g2-aes128-sha 1 g2 0.0.0.0 Main 12345678 pre-g2-aes128-sha 2 gg u1 Aggr 12345678 p1.xauth Total Gateways: 3 user with ASN1_DN type ID sort list: ns208(m)-> get ike cookie Active: 1, Dead: 0, Total 1 182f/6, 10.150.59.70->10.150.59.66: PRESHR/grp2/3DES/SHA, xchg(4) usr(d-1/u1) resent-tmr 0 lifetime 180 lt-recv 0 nxt_rekey 167 cert-expire 0 initiator 0, in-out 0, err cnt 0, send dir 1, cond 0 nat-traversal map not available ike heartbeat : disabled ike heartbeat last rcv time: 0 ike heartbeat last snd time: 0 XAUTH status: 100 ns208(m)-> get xauth active GW Name Login Auth By GW IP Private IP Last Login gg x1 Local 10.150.59.70 4.5.6.9 2002-05-26 21:21:47 ns208(m)-> get ike gateway ----------- XAUTH Config ------------- XAUTH Client enabled. Auth type: chap User Name: john Page 12 of 12