xauth enable

Function

The xauth enable command enables IKEv1 extended authentication.

The undo xauth enable command disables IKEv1 extended authentication.

By default, IKEv1 extended authentication is disabled.

Format

xauth enable [ non-strict ]

undo xauth enable

Parameters

Parameter	Description	Value
non-strict	Indicates that the client with extended authentication capabilities connects to a network through IKEv1 extended authentication and the client without extended authentication capabilities does not use IKEv1 extended authentication to connect to a network.	-

Views

IKE peer view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To improve the security of IKE peers, you can enable IKEv1 extended authentication on the IKE responder. After IKE SA negotiation in phase 1 is complete, the responder initiates IKEv1 extended authentication. If IKEv1 extended authentication is successful, IPSec SA negotiation in phase 2 starts. If IKEv1 extended authentication fails, IKE negotiation is stopped.

Precautions

After non-strict is specified, if IKEv1 extended authentication is disabled on the client that requires IKEv1 extended authentication, the client can connect to a network through another mode but not IKEv1 extended authentication. This mode has security risks. You can advised to run the no-xauth enable command so that the client without extended authentication capabilities does not use IKEv1 extended authentication to connect to a network.

After IKEv1+xAuth authentication is configured, the device does not support RADIUS dynamic authorization.
In IKEv1+xAuth authentication, if an SPU is inserted to or removed from a device, the IPSec tunnel will be torn down, causing service interruption.
IPSec IPv6 does not support IKEv1+xAuth authentication.

Example

# Enable IKEv1 extended authentication.

<sysname> system-view
[sysname] ike peer peer1
[sysname-ike-peer-peer1] xauth enable