< Home

Configuring IPSec User Authentication

This section describes how to configure IPSec user authentication.

Context

When a mobile user remotely accesses an IPSec tunnel, IPSec user authentication needs to be configured on the FW.

  • IKEv1 authentication for IPSec access users: The FW carries out local authentication or server authentication for these users.
    • PAP authentication: supports local authentication and all types of server authentication.
    • CHAP authentication: supports local authentication, RADIUS authentication, and HWTACACS authentication.
  • IKEv2 EAP authentication for IPSec access users: The FW authenticates users through a RADIUS server.

This section describes how to configure IPSec user access authentication only. To implement user-specific policy control, you need to select IPSec access and Online behavior management, configure authentication policy, and import user information from the server to the local device.

Procedure

  1. Select an authentication domain to be configured.
  2. Select IPSec access.
  3. Configure user information.

    Configure user information on the FW based on the locations and organizational structure of users.

    • Users on the local device

      Create users in the following ways:

      • In User Management List, click Add to create users.

        Parameter

        Description

        User Name

        Login name used for authentication

        Each login name (account) must be unique in its authentication domain.

        Display Name

        Display name of a user

        A display name is a user identifier and cannot be used to initiate an authentication request. You are advised to use the employees' names as their display names for easy recognition and management. Users can share a display name.

        This parameter is unavailable when you create users in batches.

        Description

        Description of a user

        Describe users in a way that makes it easy to find and maintain users.

        Password

        User password

        Confirm Password

        User password entered again for confirmation
      • Click Import User and import users through the CSV file. For details, see Importing Users and User Groups from a CSV File.

    • Users on the server

      1. Select an existing authentication server or add a new one. For details on how to add an authentication server, see Configuring Authentication Servers Using the Web UI.

  4. Enable Reporting Traffic to the Authentication Server.

    Reporting Traffic to the Authentication Server is displayed only when Authentication Server is a RADIUS server.

    After this function is enabled, the FW reports traffic statistics about IPSec VPN access users to the RADIUS server, so that the server can charge the users according to their traffic statistics.

    To use this function, select the online behavior management scenario and configure an authentication policy.

  5. Expand IP Address Pool and set parameters for users in the authentication domain.

    Parameter

    Description

    User Address Pool

    Address pool used to allocate private IP addresses to users.

    Select an existing address pool or click Add to create an address pool.

  6. Optional: Configure a RADIUS accounting scheme and a RADIUS authorization scheme.

    The RADIUS accounting scheme and the RADIUS authorization scheme apply only to user-defined portal authentication, SSL VPN access, L2TP/L2TP over IPSec, IPSec access, administrator access, and 802.1x access scenarios in which the firewall participates in user authentication.

  7. Click Apply.
Parent Topic: Configuring an Authentication Domain
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >