Netgear FVS318Gv2 – ProSAFE VPN Firewall Series Reference Manual
Manage Users, Authentication, and VPN Certificates
286
NETGEAR ProSAFE VPN Firewall FVS318G v2
The VPN Firewall’s Authentication Process and Options
Users are assigned to a group, and a group is assigned to a domain. Therefore, you must
first create any domains, then groups, and then user accounts.
first create any domains, then groups, and then user accounts.
You must create name and password accounts for all users who must be able to connect to
the VPN firewall. This includes administrators and guests. Accounts for IPSec VPN clients
are required only if you enable extended authentication (XAUTH) in your IPSec VPN
configuration.
the VPN firewall. This includes administrators and guests. Accounts for IPSec VPN clients
are required only if you enable extended authentication (XAUTH) in your IPSec VPN
configuration.
Users connecting to the VPN firewall must be authenticated before being allowed to access
the VPN firewall or the VPN-protected network. The login screen that is presented to the user
requires three items: a user name, a password, and a domain selection. The domain
determines the authentication method that is used.
the VPN firewall or the VPN-protected network. The login screen that is presented to the user
requires three items: a user name, a password, and a domain selection. The domain
determines the authentication method that is used.
Except in the case of IPSec VPN users, when you create a user account, you must specify a
group. When you create a group, you must specify a domain.
group. When you create a group, you must specify a domain.
IPSec VPN and L2TP users do not belong to a domain and are not assigned to a group.
Do not confuse the authentication groups with the LAN groups. For more information, see
The following table summarizes the external authentication protocols and methods that the
VPN firewall supports.
VPN firewall supports.
Table 65. External authentication protocols and methods
Authentication
Protocol or Method
Protocol or Method
Description
PAP
Password Authentication Protocol (PAP) is a simple protocol in which the client sends a
password in clear text.
password in clear text.
CHAP
Challenge Handshake Authentication Protocol (CHAP) executes a three-way handshake
in which the client and server trade challenge messages, each responding with a hash of
the other’s challenge message that is calculated using a shared secret value.
in which the client and server trade challenge messages, each responding with a hash of
the other’s challenge message that is calculated using a shared secret value.
RADIUS
A network-validated PAP or CHAP password-based authentication method that functions
with Remote Authentication Dial In User Service (RADIUS).
with Remote Authentication Dial In User Service (RADIUS).
MIAS
A network-validated PAP or CHAP password-based authentication method that functions
with Microsoft Internet Authentication Service (MIAS), which is a component of Microsoft
Windows 2003 Server.
with Microsoft Internet Authentication Service (MIAS), which is a component of Microsoft
Windows 2003 Server.
WiKID
WiKID Systems is a PAP or CHAP key-based two-factor authentication method that
functions with public key cryptography. The client sends an encrypted PIN to the WiKID
server and receives a one-time passcode with a short expiration period. The client logs in
with the passcode. For more about WiKID authentication, see
functions with public key cryptography. The client sends an encrypted PIN to the WiKID
server and receives a one-time passcode with a short expiration period. The client logs in
with the passcode. For more about WiKID authentication, see
NT Domain
A network-validated domain-based authentication method that functions with a Microsoft
Windows NT Domain authentication server. This authentication method was superseded
by Microsoft Active Directory authentication but is supported to authenticate legacy
Windows clients.
Windows NT Domain authentication server. This authentication method was superseded
by Microsoft Active Directory authentication but is supported to authenticate legacy
Windows clients.