IKEv1 + xAuth Authentication
As shown in Figure 1, an IPSec tunnel can be established between a PC and the enterprise headquarters to ensure secure remote access.
Generally, a PC negotiates an IPSec tunnel with the headquarters in pre-shared key mode. When multiple PCs remotely access the headquarters, a unique IPSec policy and a pre-shared key need to be configured for each PC on the headquarters network, which results in huge workload and complex management. Using the same IPSec policy and pre-shared key reduces workload and simplifies management, but lowers remote access security.
IPSec negotiation can also be performed between PCs and the headquarters using the Rivest-Shamir-Adleman (RSA) mode. When the RSA mode is used, users are authenticated using certificates, without the need to enter their user names and passwords. However, this mode has security risks because unauthorized users may obtain confidential information from the headquarters using the stolen PCs.
To solve the preceding problems, the IKEv1 + xAuth authentication (IKEv1 extended authentication) solution is introduced. Using this solution, the headquarters initiates IKEv1 + xAuth authentication to verify the user name and password after the first phase IKE SA negotiation is successful. If IKEv1 + xAuth authentication succeeds, the process continues to IKE phase 2 (IPSec SA negotiation). If IKEv1 + xAuth authentication fails, IKE negotiation is stopped and IPSec tunnel establishment fails.
To use the IKEv1 + xAuth authentication solution, clients must support IKEv1 + xAuth authentication.
PAP authentication: supports both local authentication and server authentication.
Figure 2 shows the PAP authentication process.
- A PC performs an IKE SA negotiation with the FW.
- After successful IKE SA negotiation, the FW sends an xAuth request packet to the PC based on the configuration.
- After receiving the xAuth request packet, the PC sends an xAuth reply packet containing the user name and password to the FW.
- After receiving the reply packet, the FW forwards the xAuth request packet containing the user name and password to the RADIUS server.
- The RADIUS server compares the received user name and password with those saved locally. If they are the same, the authentication succeeds. The RADIUS server sends an xAuth reply packet containing the xAuth result to the FW.
- The FW forwards the xAuth result to the PC.
- The PC sends an ACK packet to the FW to confirm that it has received the xAuth result.
- The PC performs an IPSec SA negotiation with the FW.
In local authentication, the RADIUS server compares the received user name and password with those saved locally. If they are the same, the authentication succeeds. The FW then sends the xAuth result to the PC directly.
CHAP authentication: supports both local and server authentication.
Figure 3 shows the CHAP authentication process.
- A PC performs an IKE SA negotiation with the FW.
- After successful IKE SA negotiation, the FW sends a Challenge packet to the PC based on the configuration.
- After receiving the Challenge packet, the PC performs an MD5 hash calculation on the user password to generate a digest and sends xAuth information (containing the user name, digest, and challenge) to the FW.
- After receiving the reply packet, the FW sends an xAuth request packet containing the user name, digest, and challenge to the RADIUS server.
- The RADIUS server performs an MD5 hash calculation on the locally configured user password to generate a digest, and compares it with the received digest. If they are the same, the authentication succeeds. The RADIUS server sends an xAuth reply packet containing the xAuth result to the FW.
- The FW forwards the xAuth result to the PC.
- The PC sends an ACK packet to the FW to confirm that it has received the xAuth result.
- The PC performs an IPSec SA negotiation with the FW.
