Working with VPN Authentication Profiles

VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. authentication profiles identify an authentication server, the server group to which the authentication server belongs to, and a user-role for authenticated VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. clients. There are three predefined VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. authentication profiles: default, default-rap, and default-cap. These different profiles allow you to use different authentication servers, user roles, and IP pools for VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two., remote AP Remote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link., and campus AP Campus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on. clients.

 

You can configure the default and default-rap profiles, but not the default-cap profile.

Table 1: Predefined Authentication Profile settings

Parameter

Description

default

default-rap

default-cap

Default Role for authenticated users

The role that is assigned to the authenticated users.

default-vpn-role

 

default-vpn-role

 

sys-ap-role

0

 

Maximum allowed authentication failures

The number of contiguous authentication failures before the station is blacklisted.

0 (feature is disabled)

0 (feature is disabled)

0 (feature is disabled)

Check certificate common name against AAA Authentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. server

When enabled, this feature verifies that the certificate's common name exists in the server.

disabled

enabled

enabled

Export VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. IP address as a route

When enabled, this feature causes any VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. client address to be exported to OSPF Open Shortest Path First. OSPF is a link-state routing protocol for IP networks. It uses a link-state routing algorithm and falls into the group of interior routing protocols that operates within a single Autonomous System (AS). using IPC.

NOTE: The Framed-IP-Address attribute is assigned the IP address as long as the any server returns the attribute. The Framed-IP-Address value always has a higher priority than the local address pool.

enabled

enabled

enabled

User idle timeout

The user idle timeout value for this profile. Specify the idle timeout value for the client in seconds. Valid range is 30-15300 in multiples of 30 seconds. Enabling this option overrides the global settings configured in the AAA Authentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. timers. If this is disabled, the global settings are used.

disabled

N/A

N/A

PAN firewalls Firewall is a network security system used for preventing unauthorized access to or from a private network. Integration

Requires IP mapping at Palo Alto Networks firewalls Firewall is a network security system used for preventing unauthorized access to or from a private network..

disabled

disabled

disabled

The following procedure describes how to modify the default VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. authentication profile:

1. In the Mobility Master node hierarchy, navigate to the Configuration > System > Profiles tab.

2. In the All Profiles list, expand Wireless LAN > VPN Authentication > default VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. authentication profile.

3. From the Default Role drop-down list, select the default user role for authenticated VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. users. (For detailed information on creating and managing user roles and policies, see Roles and Policies.)

4. (Optional) Set Max Authentication failures to an integer value. The default value is 0, which disables this feature.

5. (Optional) If you use client certificates for user authentication, select the Check certificate common name against AAA server check box to verify that the certificate's common name exists in the server. This parameter is enabled by default in the default-cap and default-rap VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. profiles, and is disabled by default on all other VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. profiles.

6. (Optional) Regardless of how an authentication server is contacted, the Export VPN IP address as a route option causes any VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. client address to be exported to OSPF Open Shortest Path First. OSPF is a link-state routing protocol for IP networks. It uses a link-state routing algorithm and falls into the group of interior routing protocols that operates within a single Autonomous System (AS). using IPC.

7. Enter a User idle timeout value, in seconds.

8. (Optional) Enabling PAN Firewall Integration requires IP mapping at Palo Alto Networks firewalls Firewall is a network security system used for preventing unauthorized access to or from a private network.. (For more information about PAN firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. integration, see ArubaOS 8.6.0.0 Help Center.)

9. Click Submit.

10. Click Pending Changes.

11. In the Pending Changes window, select the check box and click Deploy changes.

12. In the All Profiles list, select the Server Group entry below the Wireless LAN > VPN Authentication > Default profile.

13. From the Server Group drop-down list, select the server group to be used for VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. authentication.

14. Click Submit.

15. Click Pending Changes.

16. In the Pending Changes window, select the check box and click Deploy changes.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. authentication:

(host) [mm] (config) #aaa authentication vpn default

(host) ^[mm] (VPN Authentication Profile "default") #cert-cn-lookup

(host) ^[mm] (VPN Authentication Profile "default") #clone <source>

(host) ^[mm] (VPN Authentication Profile "default") #default-role <role>

(host) ^[mm] (VPN Authentication Profile "default") #export-route

(host) ^[mm] (VPN Authentication Profile "default") #max-authentication-failures <number>

(host) ^[mm] (VPN Authentication Profile "default") #pan-integration

(host) ^[mm] (VPN Authentication Profile "default") #radius-accounting <server_group_name>

(host) ^[mm] (VPN Authentication Profile "default") #server-group <group>

(host) ^[mm] (VPN Authentication Profile "default") #user-idle-timeout <seconds>