ArubaOS 8.6.0.0Help Center
You are here: > Virtual Private Networks (VPNs) > 为智能卡客户配置VPN

为智能卡客户配置VPN

This section describes how to configure a remote accessVPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two.on amanaged devicefor MicrosoftL2TPLayer-2 Tunneling Protocol. L2TP is a networking protocol used by the ISPs to enable VPN operations./ipsec互联网协议安全。IPSEC是用于安全IP通信的协议套件,可在通信会话中对每个IP数据包进行身份验证和加密。带有智能卡的客户,其中包含一个digital certificateA digital certificate is an electronic document that uses a digital signature to bind a public key with an identity—information such as the name of a person or an organization, address, and so forth.allowing user-level authentication without the user entering a username and password.L2TPLayer-2 Tunneling Protocol. L2TP is a networking protocol used by the ISPs to enable VPN operations./ipsec互联网协议安全。IPSEC是用于安全IP通信的协议套件,可在通信会话中对每个IP数据包进行身份验证和加密。requires two levels of authentication,IKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard.SA安全协会。SA是两个网络实体之间建立共享的安全属性,以支持安全通信。(machine) authentication and user-level authentication with anIKEv2Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306.或者PPP点对点协议。PPP是用于在两个节点之间建立直接连接的数据链接(第2层)协议。它可以提供连接身份验证,传输加密和压缩。-based authentication protocol.

Microsoft clients running Windows 7 (and later versions) support bothIKEv1Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409.IKEv2Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306.. Microsoft clients usingIKEv2Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306.support machine authentication usingRSARivest, Shamir, Adleman. RSA is a cryptosystem for public-key encryption, and is widely used for securing sensitive data, particularly when being sent over an insecure network such as the Internet.certificates (but notECDSAElliptic Curve Digital Signature Algorithm. ECDSA is a cryptographic algorithm that supports the use of public or private key pairs for encrypting and decrypting information.certificates or pre-shared keys) and smart card user-level authentication withEAP-TLSEAP – Transport层安全性。EAP-TLS是一种基于证书的身份验证方法,支持相互认证,完整性保护的密码协议和两个端点之间的密钥交换。参见RFC 5216。超过IKEv2Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306..

Windows 7 (and later version) clients without smart cards also support user password authentication usingEAP-MSCHAPV2EAP Microsoft Challenge Handshake Authentication Protocol Version 2.或者豌豆受保护的可扩展身份验证协议。PEAP是一种EAP通信,它通过创建由TLS加密和保护的安全通道来解决与清晰文本EAP传输相关的安全问题。-MSCHAPv2.

Working with Smart Card clients using IKEv2

To configure aVPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two.for Windows 7 (and later version) clients using smart cards andIKEv2Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306.,遵循所述的过程Configuring a VPN for L2TP/IPsec with IKEv2, and ensure that the following settings are configured:

L2TPis enabled

用户身份验证设置为EAP-TLS

TheIKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard.policy is configured forECDSA或者RSAcertificate authentication

使用智能卡使用IKEv1客户

Microsoft clients usingIKEv1Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409., including clients running Windows Vista or earlier versions of Windows, only support machine authentication using aPSK预共享密钥。以前通过使用安全渠道在两方之间共享的独特共享秘密。这与WPA安全性一起使用,该安全性要求网络的所有者向用户提供密码以进行网络访问。. In this scenario, user-level authentication is performed by an externalRADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.server usingPPP点对点协议。PPP是用于在两个节点之间建立直接连接的数据链接(第2层)协议。它可以提供连接身份验证,传输加密和压缩。EAP-TLSEAP – Transport层安全性。EAP-TLS是一种基于证书的身份验证方法,支持相互认证,完整性保护的密码协议和两个端点之间的密钥交换。参见RFC 5216。,以及客户和服务器证书在EAP-TLSEAP – Transport层安全性。EAP-TLS是一种基于证书的身份验证方法,支持相互认证,完整性保护的密码协议和两个端点之间的密钥交换。参见RFC 5216。exchange. During the authentication,EAP-TLSEAP – Transport层安全性。EAP-TLS是一种基于证书的身份验证方法,支持相互认证,完整性保护的密码协议和两个端点之间的密钥交换。参见RFC 5216。messages from the client are encapsulated intoRADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.messages and forwarded to the server.

配置L2TPLayer-2 Tunneling Protocol. L2TP is a networking protocol used by the ISPs to enable VPN operations./ipsec互联网协议安全。IPSEC是用于安全IP通信的协议套件,可在通信会话中对每个IP数据包进行身份验证和加密。VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two.EAP可扩展的身份验证协议。无线网络的身份验证协议扩展了PPP使用的方法,PPP使用的方法是将计算机连接到Internet时经常使用的协议。EAP可以支持多种身份验证机制,例如令牌卡,智能卡,证书,一次性密码和公共密钥加密身份验证。as thePPP点对点协议。PPP是用于在两个节点之间建立直接连接的数据链接(第2层)协议。它可以提供连接身份验证,传输加密和压缩。authentication andIKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard.policy for preshared key authentication of theSA安全协会。SA是两个网络实体之间建立共享的安全属性,以支持安全通信。.

On theRADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.server, configure a remote access policy to allowEAP可扩展的身份验证协议。无线网络的身份验证协议扩展了PPP使用的方法,PPP使用的方法是将计算机连接到Internet时经常使用的协议。EAP可以支持多种身份验证机制,例如令牌卡,智能卡,证书,一次性密码和公共密钥加密身份验证。authentication for smart card users and select a server certificate. The user entry in MicrosoftActive DirectoryMicrosoft Active Directory。存储有关各种事物的信息的目录服务器,例如组织,站点,系统,用户,共享和其他网络对象或组件。它还提供身份验证和授权机制,以及可以部署相关服务的框架。must be configured for smart cards.

To configure anL2TPLayer-2 Tunneling Protocol. L2TP is a networking protocol used by the ISPs to enable VPN operations./ipsec互联网协议安全。IPSEC是用于安全IP通信的协议套件,可在通信会话中对每个IP数据包进行身份验证和加密。VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two.for clients using smart cards andIKEv1Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409., ensure that the following settings are configured:

1.On aRADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.server, a remote access policy must be configured to allowEAP可扩展的身份验证协议。无线网络的身份验证协议扩展了PPP使用的方法,PPP使用的方法是将计算机连接到Internet时经常使用的协议。EAP可以支持多种身份验证机制,例如令牌卡,智能卡,证书,一次性密码和公共密钥加密身份验证。智能卡用户的身份验证并选择服务器证书。Microsoft中的用户条目Active DirectoryMicrosoft Active Directory。存储有关各种事物的信息的目录服务器,例如组织,站点,系统,用户,共享和其他网络对象或组件。它还提供身份验证和授权机制,以及可以部署相关服务的框架。must be configured for smart cards. (For detailed information on creating and managing user roles and policies, see角色和政策.)

Ensure that theRADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.server is part of the server group used forVPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two.验证。

Configure otherVPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two.settings as described inConfiguring a VPN for L2TP/IPsec with IKEv2, while selecting the following options:

Select theL2TPcheck box.

Select theEAPcheck box for the Authentication Protocol.

Define anIKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard.Shared Secret to be used for machine authentication. (To make theIKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard.key global, specify 0.0.0.0 and 0.0.0.0 for bothsubnet子网是IP网络的逻辑部门。subnet子网是IP网络的逻辑部门。mask.)

配置IKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard.policy forpre-share验证。

/*]]>*/
Baidu