Nortel Networks 620 User Manual
Chapter 6
Advanced Features
E-DOC-CTC-20051017-0169 v0.1
176
6.3 Extended Authentication (XAuth)
What is ...
Extended Authentication, commonly referred to as the XAuth protocol, allows for
performing extra user authentication. A typical practical example is the mixed use
of IKE tunnel negotiation using preshared key as authentication method and on top
of that doing Extended Authentication.
performing extra user authentication. A typical practical example is the mixed use
of IKE tunnel negotiation using preshared key as authentication method and on top
of that doing Extended Authentication.
The VPN client functionality built in the SpeedTouch™ supports the (optional) use
of XAuth. It acts as a XAuth client. In order to use this functionality, it needs to be
connected to a remote IPSec gateway capable of handling the XAuth protocol.
of XAuth. It acts as a XAuth client. In order to use this functionality, it needs to be
connected to a remote IPSec gateway capable of handling the XAuth protocol.
The VPN server functionality built in the SpeedTouch™ also supports the use of
XAuth as an XAuth server. It uses an internal list of authorized users.
XAuth as an XAuth server. It uses an internal list of authorized users.
How does it work
After the Phase 1 negotiation has been successful (1), the remote IPSec gateway will
request the XAuth username and password (2). Typically, the remote IPSec device
will now contact a RADIUS server (3) to check for the credentials. If the XAuth
authentication is successful, Phase 2 tunnel setup (4) will be initiated.
request the XAuth username and password (2). Typically, the remote IPSec device
will now contact a RADIUS server (3) to check for the credentials. If the XAuth
authentication is successful, Phase 2 tunnel setup (4) will be initiated.
In the CLI, the XAuth settings are found in the VPNCLIENT and VPNSERVER
command groups.
command groups.
The VPN server in the SpeedTouch™ uses an internal list of authorized
users. It does not need a RADIUS server to check the credentials.
users. It does not need a RADIUS server to check the credentials.
Phase 1
negotiation
XAuth
authentication
Phase 2
negotiation
RADIUS
authentication
RADIUS
server
Remote IPSec
gateway
SpeedTouch
620
Black network