Configuring a VPN for Smart Card Clients

This section describes how to configure a remote access VPN on the controller for Microsoft L2TP/IPsec clients with smart cards. (A smart card contains a digital certificate which allows user-level authentication without the user entering a username and password.) As described previously in this chapter, L2TP/IPsec requires two levels of authentication: first, IKE SA (machine) authentication, and then user-level authentication with an IKEv2 or PPP-based authentication protocol.

Microsoft clients running Windows 7 (or later versions) support both IKEv1 and IKEv2. Microsoft clients using IKEv2 support machine authentication using RSA certificates (but not ECDSA certificates or pre-shared keys) and smart card user-level authentication with EAP-TLS over IKEv2.

 

Windows 7 clients without smart cards also support user password authentication using EAP-MSCHAPv2 or PEAP-MSCHAPv2.

Working with Smart Card clients using IKEv2

To configure a VPN for Windows 7 clients using smart cards and IKEv2, follow the procedure described in Configuring a VPN for L2TP/IPsec with IKEv2 in the WebUI, and ensure that the following settings are configured

L2TP is enabled.
User Authentication is set to EAP-TLS.
IKE version is set to V2
The IKE policy is configured for ECDSA or RSA certificate authentication.

Working with Smart Card Clients using IKEv1

Microsoft clients using IKEv1 (including clients running Windows Vista or earlier versions of Windows) only support machine authentication using a pre-shared key. In this scenario, user-level authentication is performed by an external RADIUS server using PPP EAP-TLS and client and server certificates are mutually authenticated during the EAP-TLS exchange. During the authentication, the controller encapsulates EAP-TLS messages from the client into RADIUS messages and forwards them to the server.

On the controller, you need to configure the L2TP/IPsec VPN with EAP as the PPP authentication and IKE policy for preshared key authentication of the SA.

 

On the RADIUS server, you must configure a remote access policy to allow EAP authentication for smart card users and select a server certificate. The user entry in Microsoft Active Directory must be configured for smart cards.

To configure a L2TP/IPsec VPN for clients using smart cards and IKEv1, ensure that the following settings are configured:

1. On a RADIUS server, you must configure a remote access policy to allow EAP authentication for smart card users and select a server certificate. The user entry in Microsoft Active Directory must be configured for smart cards. (For detailed information on creating and managing user roles and policies, see Roles and Policies.)
Ensure that RADIUS server is part of the server group used for VPN authentication.
Configure other VPN settings as described in Configuring a VPN for L2TP/IPsec with IKEv2 in the WebUI, while selecting the following options:
Select Enable L2TP
Select EAP for the Authentication Protocol.
Define an IKE Shared Secret to be used for machine authentication. (To make the IKE key global, specify 0.0.0.0 and 0.0.0.0 for both subnet and subnet mask).
Configure the IKE policy for Pre-Share authentication.