Specifications
Manage Users, Authentication, and VPN Certificates
302
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
The VPN Firewall’s Authentication Process and
Options
Users are assigned to a group, and a group is assigned to a domain. Therefore, you should
first create any domains, then groups, then user accounts.
Note: Do not confuse the authentication groups with the LAN groups that
are described in Manage IPv4 Groups and Hosts (IPv4 LAN Groups)
on page 96.
You need to create name and password accounts for all users who need to be able to
connect to the VPN firewall. This includes administrators, guests, and SSL VPN clients.
Accounts for IPSec VPN clients are required only if you have enabled extended
authentication (XAUTH) in your IPSec VPN configuration.
Users connecting to the VPN firewall need to be authenticated before being allowed to
access the VPN firewall or the VPN-protected network. The login screen that is presented to
the user requires three items: a user name, a password, and a domain selection.
The domain
determines the authentication method that is used and, for SSL connections, the portal layout
that is presented.
Note: IPSec VPN, L2TP, and PPTP users do not belong to a domain and
are not assigned to a group.
Except in the case of IPSec VPN users, when you create a user account, you need to specify
a group. When you create a group, you need to specify a domain.
The following table summarizes the external authentication protocols and methods that the
VPN firewall supports.
Table 75. External authentication protocols and methods
Authentication
Protocol or Method
Description
PAP Password Authentication Protocol (PAP) is a simple protocol in which the client sends a
password in clear text.
CHAP Challenge Handshake
Authentication Protocol (CHAP) executes a three-way handshake
in which the client and server trade challenge messages, each responding with a hash of
the other’s challenge message that is calculated using a shared secret value.
RADIUS A network-validated PAP or CHAP password-based authentication method that functions
with Remote Authentication Dial In User Service (RADIUS).