IPsec VPN users
If users access your network using an IPsec VPN, you can implement two-factor authentication by enabling extended authentication (XAUTH). This requires the user to enter a password in addition to the VPN authentication provided by the certificate or pre-shared key. As PCI DSS requires each user to have a unique identifier, you should already have user accounts and user groups defined.
To configure XAUTH on your VPN
1. Go to VPN > IPsec > Auto Key (IKE) and edit your Phase 1 configuration.
2. Select Advanced.
3. In XAUTH, select Enable as Server.
Enable as Server is available only if Remote Gateway is Dialup User.
4. Set Server Type to PAP, CHAP, or AUTO as appropriate.
5. Select the User Group to which the VPN users belong.
6. Select OK.