Working with VPN Authentication Profiles

VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two.authentication profiles identify an authentication server, the server group to which the authentication server belongs to, and a user-role for authenticatedVPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two.客户。There are three predefinedVPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two.authentication profiles:default,default-rap, anddefault-cap。这些不同的配置文件允许you to use different authentication servers, user roles, and IP pools forVPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two.,remote APRemote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link., andcampus APCampus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on.客户。

You can configure thedefaultanddefault-rapprofiles, but not thedefault-capprofile.

Table 1:Predefined Authentication Profile settings

Parameter	Description	default	default-rap	default-cap
Default Role for authenticated users	The role that is assigned to the authenticated users.	default-vpn-role	default-vpn-role	sys-ap-role 0
Maximum allowed authentication failures	The number of contiguous authentication failures before the station is blacklisted.	0 (feature is disabled)	0 (feature is disabled)	0 (feature is disabled)
Check certificate common name againstAAAAuthentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption.server	When enabled, this feature verifies that the certificate's common name exists in the server.	disabled	enabled	enabled
ExportVPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two.IP address as a route	When enabled, this feature causes anyVPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two.client address to be exported toOSPFOpen Shortest Path First. OSPF is a link-state routing protocol for IP networks. It uses a link-state routing algorithm and falls into the group of interior routing protocols that operates within a single Autonomous System (AS).using IPC. NOTE:TheFramed-IP-Addressattribute is assigned the IP address as long as the any server returns the attribute. TheFramed-IP-Addressvalue always has a higher priority than the local address pool.	enabled	enabled	enabled
User idle timeout	The user idle timeout value for this profile. Specify the idle timeout value for the client in seconds. Valid range is 30-15300 in multiples of 30 seconds. Enabling this option overrides the global settings configured in theAAAAuthentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption.timers. If this is disabled, the global settings are used.	disabled	N/A	N/A
PANfirewallsFirewall is a network security system used for preventing unauthorized access to or from a private network.Integration	Requires IP mapping at Palo Alto NetworksfirewallsFirewall is a network security system used for preventing unauthorized access to or from a private network.。	disabled	disabled	disabled

The following procedure describes how to modify thedefaultVPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two.authentication profile:

1.In theMobility Masternode hierarchy, navigate to theConfiguration > System > Profilestab.

2.In theAll Profileslist, expand无线局域网> VPNAuthentication >defaultVPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two.authentication profile.

3.From theDefault Roledrop-down list, select the default user role for authenticatedVPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two.users. (For detailed information on creating and managing user roles and policies, seeRoles and Policies。)

4.(Optional) SetMax Authentication failuresto an integer value. The default value is 0, which disables this feature.

5.(Optional) If you use client certificates for user authentication, select theCheck certificate common name against AAA servercheck box to verify that the certificate's common name exists in the server. This parameter is enabled by default in thedefault-capanddefault-rapVPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two.profiles, and is disabled by default on all otherVPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two.profiles.

6.(Optional) Regardless of how an authentication server is contacted, theExport VPN IP address as a routeoption causes anyVPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two.client address to be exported toOSPFOpen Shortest Path First. OSPF is a link-state routing protocol for IP networks. It uses a link-state routing algorithm and falls into the group of interior routing protocols that operates within a single Autonomous System (AS).using IPC.

7.Enter aUser idle timeoutvalue, in seconds.

8.(Optional) EnablingPAN Firewall Integrationrequires IP mapping at Palo Alto NetworksfirewallsFirewall is a network security system used for preventing unauthorized access to or from a private network.。(For more information about PANfirewallFirewall is a network security system used for preventing unauthorized access to or from a private network.integration, seePAN Firewall Integration。)

9.ClickSubmit。

10.ClickPending Changes。

11.In thePending Changeswindow, select the check box and clickDeploy changes。

12.In theAll Profileslist, select theServer Groupentry below the无线局域网> VPNAuthentication > Defaultprofile.

13.From theServer Groupdrop-down list, select the server group to be used forVPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two.authentication.

14.ClickSubmit。

15.ClickPending Changes。

16.In thePending Changeswindow, select the check box and clickDeploy changes。

The followingCLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.命令配置VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two.authentication:

(host) [mm] (config) #aaa authentication vpn default

(host) ^[mm] (VPN Authentication Profile "default") #cert-cn-lookup

(host) ^[mm] (VPN Authentication Profile "default") #clone

(host) ^[mm] (VPN Authentication Profile "default") #default-role <role>

(host) ^[mm] (VPN Authentication Profile "default") #export-route

(host) ^[mm] (VPN Authentication Profile "default") #max-authentication-failures <number>

(host) ^[mm] (VPN Authentication Profile "default") #pan-integration

(host) ^[mm] (VPN Authentication Profile "default") #radius-accounting <server_group_name>

(host) ^[mm] (VPN Authentication Profile "default") #server-group <group>

(host) ^[mm] (VPN Authentication Profile "default") #user-idle-timeout <seconds>