You are here: Home > CLI Commands > Just_CLI_Topics > aaa authentication vpn

aaa authentication vpn

aaa authentication vpn <profile-name>

cert-cn-lookup

clone <source>

default-role <guest>

export-route

max-authentication-failures <number>

no ...

pan-integration

radius-accounting

server-group <group>

user-idle-timeout

Description

This command configures VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. authentication settings.

Syntax

Parameter

Description

Default

<profile-name>

There are three VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. profiles: default, default-rap or default-cap.

This allows users to use different AAAAuthentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. servers for VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two., Remote APRemote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link. and Campus APCampus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on. clients.

NOTE: The default and default-rap profiles are configurable. The default-cap profile is not configurable and is predefined with the default settings.

cert-cn-lookup

If you use client certificates for user authentication, enable this option to verify that the CNCommon Name. CN is the primary name used to identify a certificate. of the certificate exists in the server. This parameter is enabled by default in the default-cap and default-rap VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. profiles, and disabled by default on all other VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. profiles.

clone <source>

Copies data from another VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. authentication profile. Source is the profile name from which the data is copied.

default-role <role>

Role assigned to the VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. user upon login.

NOTE: This parameter requires PEFPolicy Enforcement Firewall. PEF also known as PEFNG provides context-based controls to enforce application-layer security and prioritization. The customers using Aruba mobility controllers can avail PEF features and services by obtaining a PEF license. PEF for VPN users—Customers with PEF for VPN license can apply firewall policies to the user traffic routed to a controller through a VPN tunnel. for VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. Users license.

guest

export-route

Exports a VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. IP address as a route to the external world. See the show ip ospf command to view the link-state advertisement types that are generated.

enabled

max-authentication-failures <number>

Maximum number of authentication failures before the user is blacklisted. The supported range is 1-10 failures. A value of 0 disables blacklisting.

NOTE: This parameter requires the RFProtect license.

0 (disabled)

no

Negates any configured parameter.

pan-integration

Require IP mapping at Palo Alto Networks firewallsFirewall is a network security system used for preventing unauthorized access to or from a private network..

disabled

radius-accounting

Configure server group for RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  accounting

server-group <group>

Name of the group of servers used to authenticate VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. users. See aaa server-group.

internal

user-idle-timeout

The user idle timeout for this profile. Specify the idle timeout value for the client in seconds. Valid range is 30-15300 in multiples of 30 seconds. Enabling this option overrides the global settings configured in the AAAAuthentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. timers. If this is disabled, the global settings are used.

Usage Guidelines

This command configures VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. authentication settings for VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two., Remote APRemote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link. and Campus APCampus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on. clients. Use the vpdn group command to configure L2TPLayer-2 Tunneling Protocol. L2TP is a networking protocol used by the ISPs to enable VPN operations. or IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. or a PPTPPoint-to-Point Tunneling Protocol. PPTP is a method for implementing virtual private networks. It uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets. VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. connection. (See vpdn group l2tp.)

Example

The following command configures VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. authentication settings for the default-rap profile:

(host) ^[md] (config) #aaa authentication vpn default-rap

(host) ^[md] (VPN Authentication Profile "default-rap")default-role guest

(host) ^[md] (VPN Authentication Profile "default-rap")clone default

(host) ^[md] (VPN Authentication Profile "default-rap")max-authentication-failures 0

(host) ^[md] (VPN Authentication Profile "default-rap")server-group vpn-server-group

The following message appears when a user tries to configure the non-configurable default-cap profile:

(host) ^[md] (config) #aaa authentication vpn default-cap

Predefined VPN Authentication Profile "default-cap" is not editable

The following example describes the steps to use the CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. to configure a VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. for Cisco Smart Card Clients using certificate authentication and IKEv1Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409., where the client is authenticated against user entries added to the internal database:

 

(host) ^[md] (config) #aaa authentication vpn default

server-group internal

 

(host) ^[md] (config) #no crypto-local isakmp xauth

 

(host) ^[md] (config) #vpdn group l2tp

enable

client dns 101.1.1.245

 

(host) ^[md] (config) #ip local pool sc-clients 10.1.1.1 10.1.1.250

 

(host) ^[md] (config) #crypto-local isakmp server-certificate MyServerCert

(host) ^[md] (config) #crypto-local isakmp ca-certificate TrustedCA

 

(host) ^[md] (config) #crypto isakmp policy 1

authentication rsa-sig

The following command configures client entries in the internal database:

(host) [mynode] #local-userdb add username <name> password <password>

The following example configures a VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. for XAuthExtended Authentication. XAuth provides a mechanism for requesting individual authentication information from the user, and a local user database or an external authentication server. It provides a method for storing the authentication information centrally in the local network. IKEv1Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409. clients in config mode using a username and password:

(host) ^[md] (config) #aaa authentication vpn default

server-group internal

 

crypto-local isakmp xauth

 

(host) ^[md] (config) #vpdn group l2tp

enable

client dns 101.1.1.245

 

(host) ^[md] (config) #ip local pool pw-clients 10.1.1.1 10.1.1.250

 

(host) ^[md] (config) #crypto isakmp key 0987654 address 0.0.0.0 netmask 0.0.00

 

(host) ^[md] (config) #crypto isakmp policy 1

authentication pre-share

Enter the following command to configure client entries in the internal database:

(host) [mynode] #local-userdb add username <name> password <password>

Command History

Release

Modification

ArubaOS 8.0.0.0

Command introduced.

Command Information

Platforms

License

Command Mode

All platforms

Base operating system, except for noted parameters.

The default-role parameter requires PEFPolicy Enforcement Firewall. PEF also known as PEFNG provides context-based controls to enforce application-layer security and prioritization. The customers using Aruba mobility controllers can avail PEF features and services by obtaining a PEF license. PEF for VPN users—Customers with PEF for VPN license can apply firewall policies to the user traffic routed to a controller through a VPN tunnel. for VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. Users license.

Config mode on Mobility Master.

/*]]>*/