Configuring XAuth authentication

Chapter 3 Authentication for FortiOS 5.0 : Configuring authenticated access : VPN authentication : Configuring authentication of remote IPsec VPN users : Configuring XAuth authentication

Extended Authentication (XAuth) increases security by requiring additional user authentication information in a separate exchange at the end of the VPN Phase 1 negotiation. The FortiGate unit asks the user for a username and password. It then forwards the user’s credentials (the password is encrypted) to an external RADIUS or LDAP server for verification.

XAuth can be used in addition to or in place of IPsec phase 1 peer options to provide access security through an LDAP or RADIUS authentication server. You must configure a dialup user group whose members are all externally authenticated.

To configure authentication for a dialup IPsec VPN - web-based manager

1. Configure the users who are permitted to use this VPN. Create a user group and add the users to the group.

For more information, see “Users and user groups”.

2. Go to VPN > IPsec > Auto Key (IKE).

3. Select Create Phase 1 and configure the basic VPN phase1 settings.

Remote Gateway must be Dialup User.

4. Select Advanced to reveal additional parameters and enter the following information.


XAuth	Select Enable as Server.
Server Type	Select PAP, CHAP, or AUTO. Use CHAP whenever possible. Use PAP with all implementations of LDAP and with other authentication servers that do not support CHAP, including some implementations of Microsoft RADIUS. Use AUTO with the Fortinet Remote VPN Client and where the authentication server supports CHAP but the XAuth client does not.
User Group	Select the user group that is to have access to the VPN. The list of user groups does not include any group that has members whose password is stored on the FortiGate unit.

5. Select OK.

For more information about XAUTH configuration, see the IPsec VPN chapter of this FortiOS Handbook.

To configure authentication for a dialup IPsec VPN - CLI example

The xauthtype and authusrgrp fields configure XAuth authentication.

config vpn ipsec phase1

edit office_vpn

set interface port1

set type dynamic

set psksecret yORRAzltNGhzgtV32jend

set proposal 3des-sha1 aes128-sha1

set peertype dialup

set xauthtype pap

set authusrgrp Group1

end

Some parameters specific to setting up the VPN itself are not shown here. For detailed information about configuring IPsec VPNs, see the FortiOS Handbook IPsec VPN chapter.