Avaya 3.7 User Manual

3.14 Mb

Using Policy Manager for user configuration

A Client IP Address Pool is a range ofsource IP addresses that is recognized by an ACD. The pool is stored in the security gateway, so when it recognizes an inbound packet from a VPNremote Client, it swaps the source address with one from the pool. When the security gateway recognizes an outbound packet having a pooled address, it changes the destination address to the remote client’s address.

A security gateway can be configured with multiple pools. When selecting a list of source addresses to pool, choose ranges that are not used by thedestination network.

Figure 40: Policy Manager - Client IP address pool

Add Client IP address pool

From the Policy Manager properties you select Client IP Configuration to make add new client IP addresses. At the top of the screen is the target security gateway to which this address pool resides.

For VPNos 4.2 and earlier, you enter the starting address of the range in the Client IP Address, Range Start field, followed by the ending address of the range in the Range End field. Up to 20 non-contiguousIP address ranges of any size may be entered (depends on security gateway memory available).

For VPNos 4.31, you enter the IP address and mask.

Add Client DNS

The Client DNS address entered here is sent to the security gateway that is used for the VPNremote virtual adapter configuration. This information is then sent to the VPNremote Client through CCD. Three Client DNS addresses can be configured in the VPNmanager.

Issue 4 May 2005 121

Configuring remote access users

Add Client WINS

The Client WINS address entered here is sent to the security gateway that is used for the VPNremote virtual adapter configuration. This information is then sent to the VPNremote Client through CCD. Two Client WINS address can be configured in the VPNmanager.

To configure the Client IP configuration

1.From the Configure Consolewindow, go to Tools>Policy Manager.

2.From the Select Object Name list, select the security gateway to be configured.

3.From the Type of Policylist, select IP Client Configuration.

4.In the Current Client IP Address Pool Policyarea, click Add.

5.In the Range Start text boxes, type in the address forlower boundary of the address pool.

6.In the Range End text boxes, type in the address forupper boundary of the address pool.

7.Click Apply. The contents are then cleared from the Add screen allowing for the next entry. Repeat the process until you have entered all required Client IP Address.

8.Click Close to return to thePolicy Manager forClient IP Address Pools window.

9.The new pool is seen in the Current Client IP Address Pool list.

10.(Optional) If a client DNS address should be configured, in the Client DNS area enter the DNS address and clickAdd. Up to three client DNS addresses can be configured.

11.(Optional) If Client WINS should be configured, enter the WINS address to use for VPNremote virtual adapter configuration. Two Client WINS addresses can be configured.

12.Click Save.

13.Click Close to return to theConfiguration Console window.

14.When you want to send the configuration to the security gateway, click Update Device.

Configuring client attributes

From Policy Manager Client Attributes property, you can configure a message that remote users see every time they log in and specify the brand name used for VPNRemote Client.

Creating a message

The message you create can be a legal message about company policy for using the network or any other type of message to communicate information when remote users log in. This message can be configured so that remote users are required to accept the message before the log in is complete.

122 Avaya VPNmanager Configuration Guide Release 3.7

Using Policy Manager for user configuration

Figure 41: Policy Manager for client attributes

Enable Client Legal Message. - The check box is used to enable the Client legal message. The default is disabled.

Require Acceptance. - SelectYes to require the remote user to accept the message before log on is authenticated. SelectNo if the message is to be displayed, but the remote user is not required to accept the message to authenticate to the security gateway. The default is No.

Message Text. - In the Message Text box, type the message that should be displayed. Default messages are not included in the VPNmanager software.

Enforce brand name

VPNmanager allows administrators to restrict access to remote users by specifying client brands. The default is Allow any brand. The Administrator can allow any brand name or can restrict access by specifying a brand name. However, in order for this feature to work correctly the brand name must be specified in VPNmanager and in the Avaya VPNremote Client. To customize the Avaya Remote Client, contact your sales representative.

Allow Any Brand allows any brand client to be authenticated by the security gateway during CCD. This radio button is the default.

Allow Only the Following Brand Specific Clients allows clients that have registered brand names with the security gateway to be authenticated during CCD. The Administrator can enter up to five brand specific names for the Client Legal Message to be displayed.

Issue 4 May 2005 123

Configuring remote access users


(VPNos 3.x and VPNos 4.31 only)


If a RADIUS server is used, the name assigned to a VPNremote Client must be identical to the one used in the RADIUS server.

A popular tool for managing authentication and accounting for remote access has been Remote Authentication Dial-In User Service (RADIUS). Use thePolicy Manager forRADIUS/ACE if you want to use one or more RADIUS servers to authenticate remote users. A security gateway can query up to three RADIUS servers, where two of the servers is recognized as backups.

Figure 42: The Policy Manager for RADIUS/ACE


The security gateway must authenticate itself to the RADIUS server with a “shared secret” before they can exchangeinformation. Therefore, the RADIUS server must be configured with a shared secret for the security gateway.


When checked, RADIUS is enabled as the authentication and configuration database.

# - Rank in group of this particular RADIUS server.

IP Address - IP Address of the RADIUS server.

UDP Port - UDP port of the RADIUS server. The default value is 1645.

124 Avaya VPNmanager Configuration Guide Release 3.7



RADIUS attempts before assuming failure - Integer from 1 to 10 indicating the number of attempts the security gateway makes before timing out with a failure. The default is 3.

RADIUS time-out before assuming failure - Time in seconds from 10 to 500. This value is the total number of seconds that the security gateway waits for a response from any specified RADIUS server before timing out with a failure. The default is 6 seconds.

RADIUS concepts

For additional user authentication, the VSUs support the Remote Authentication Dial-InUser Services (RADIUS) protocol, thus providing stronger Client authentication and accounting mechanisms viathird-partyproducts such as Ascend Access Control™ and RSA Security ACE/ Server™ AccessManager.

Using RADIUS, remote users must pass the RADIUS server’s authentication mechanism in order to connect to a corporate network. This authentication process is summarized as follows:

First, the user initiates communication with a VPN member.

The VPN traffic is processed by VPNremote and then sent to the target security gateway.

The security gateway identifies then incoming traffic as new VPN traffic and initiates a request to the RADIUS server for user authentication requirements.

The RADIUS server responds to the security gateway indicating authentication is required.

The security gateway challenges the user to provide the required authentication information.

The user enters the required authentication information via a prompt displayed by VPNremote. This challenge response is sent back to the security gateway.

The security gateway forwards the challenge response to the RADIUS server.

The RADIUS server decides if the user has met the challenge, and if so, informs the security gateway that the user is authorized. The RADIUS server also forwards the user configuration details, known as user attributes, to the security gateway. These attributes specify VPN-specificinformation, including the cryptographic keys used for encryption.

The security gateway then allows VPN traffic to flow between the VPNremote Client and the VPN members.

Two methods of user authentication—simplepasswords and“one-time”passwords based ontwo-factorauthenticationmechanisms—canbe used to meet a variety of security, cost, and convenience requirements. All RADIUS implementations support standard password authentication, and many can be used in conjunction with RSA Security ACE/Server for SecurID™ Token requirements.

Issue 4 May 2005 125

Configuring remote access users

The RADIUS protocol

The RADIUS protocol is documented in an Internet Engineering Task Force (IETF) Request for Comment (RFC), specifically RFC 2058.

Client/Server Model – A Network Access Server (NAS) operates as a client of RADIUS. The client is responsible for passing user information to designated RADIUS servers and then acting on the response that is returned. RADIUS servers are responsible for receiving user connection requests, authenticating the user, and then returning all configuration information necessary for the client to deliver service to the user. A RADIUS server can act as a proxy client to other RADIUS servers or other kinds of authentication servers.

Network Security – Transactions between the client and RADIUS server are authenticated through the use of a shared secret, which is never sent over the network. Additionally, user passwords are sent encrypted between the client and RADIUS server to eliminate the possibility that someone snooping on an unsecure network could determine a user’s password.

Flexible Authentication Mechanisms – The RADIUS server can support a variety of methods to authenticate a user; when given the user name and the original user password, it can support PPP, PAP or CHAP, UNIX login, and other authentication mechanisms, some of which include the use of cryptographically strong tokens. These tokens use atwo-factorapproach to authentication: the first is a Personal Identification Number (PIN); the second is a value taken from the token. An example of atwo-factorauthentication mechanism is the SecurID™ token card and ACE/Server AccessManager by RSA Security.

Some RADIUS server implementations use several files to manage the database of information needed to provide Client authentication. A number of these files must be modified to use the VSUs as an NAS within a RADIUS environment.

Add (RADIUS/ACE server)

Authenticating (secret) password

Enter the authenticating password followed by a retype.

RADIUS server data

IP Address - Enter the IP address of the RADIUS/ACE server.

UDP Port - Enter the UDP port of the server. The default value is 1645. Check your RADIUS server documentation to verify the value for this field.

126 Avaya VPNmanager Configuration Guide Release 3.7


Use this as my: - Select the role you wish this server to perform: Primary Server, Secondary Server, or Tertiary Server.

To add a RADIUS server:

1.From the Contents column, select the security gateway you want to configure.

2.Click the Policies tab to bring it to the front.

3.From the drop-down list, selectRADIUS/ACE, then clickGO to open thePolicy Manager for


4.Select the Enable RADIUS/ACE check box so the security gateway uses RADIUS services.

5.Click Add to open theAdd RADIUS/ACE dialog box.

6.In the Password text box, type in theshared secret that the security gateway uses to authenticate itself to the RADIUS server.


This value is also entered later in the RADIUS server Client file. Check your RADIUS server documentation for valid password length and allowed characters.

7.In the Confirm Password text box, type in the shared secret to confirm it.

8.In the IP Address text boxes, type in the address of the RADIUS server.


An IP address must be entered (domain names are not valid). There must be an IP route between the security gateway and the target RADIUS server.


To verify that a valid IP route exists, use the security gateway proxy ping function (security gateway tab/Connectivity) and enter the target RADIUS server’s IP address as the ping target.

9.In the UDP Port text box, type the port number for the server.

10.The default number is usually 1645, but use the RADIUS server’s documentation to confirm the number.

11.From the Use this as my options, assign a query order to the server. If backup servers are being used, here is where they can be identified.

Select Primary Server if no backup servers are used, or if this is the server primarily used if backup servers are running.

Select Secondary Server if this server operates as a backup to the primary server.

Select Tertiary Server if this server operates as a backup to the secondary server.

12.Click OK to return to thePolicy Manager window.

13.From the list of servers, select the new server.

Issue 4 May 2005 127

Configuring remote access users

14.From the Settings options, use the following to configure the connection expiration times for the server.

RADIUS Attempts. The number of times a RADIUS server is contacted before failure is assumed and the next RADIUS server is used.The default is 3 attempts.

Time to assume failure. The time that should pass when a RADIUS server is not responding and the next RADIUS server is used.The default value is 6 seconds.

Designated RADIUS attribute for policy. Designates the VPN Policy to the security gateway that is delivered to the remote client when the remote client authenticates throughout the security gateway to the RADIUS Server.

The VPNmanager provides the following attributes for the remote client to choose from:

Filter ID

Replay Message

Class (default set by Administrator)

Vendor Specified

User Defined

User-defined RADIUS attribute ID. ID text field is enabled and the user provides the attribute ID. If the user does not provide the ID, an error message is displayed. This field can be used with less common attribute IDs.

Use this tag for RADIUS attribute. The tag must contain the letters a to z or A to Z. The tag can be up to 15 characters in length.

15.Click Close to return to theConfiguration Console window.

16.Click Save.

17.When you want to send the configuration to the security gateway, click Update Devices.

128 Avaya VPNmanager Configuration Guide Release 3.7

Chapter 6: Configuring user groups

The User Group function is used to setup and maintain logical groups in which the individual VPN users reside.

User groups have a single-levelhierarchy - you cannot have a user group within another user group.

A User Group Object is a method for simultaneously managing many user objects (remote users). For example, all remote users, who are in sales, can be consolidated into a single user group. Then that group can be associated with one or more VPN objects. Without user groups, remote users would have to be individually associated with a VPN object.

User groups are easy to create and configure. You give them a name then populate them with user objects.

Users can belong to more than one user group. When this is the case and policy conflicts exist, permit wins over deny (user group settings override individual user settings).

User groups can be created at anytime. But since they are configured with user objects, you should configure users before configuring user groups.

New user group

To create a user group:

1.From the VPNmanager console main page, Click New Object and selectUser Group. The New User Group dialog is displayed.

2.In the Name text box, type in a name for the new group. Any characters can be used, except a comma [,].

3.If you want to create more groups, press ENTER, then type in another name.

4.Click Apply, thenClose to return to theConfiguration Console window.

5.Click Save.

You now configure your new user group.


Renaming user groups is not currently supported.

Issue 4 May 2005 129

Configuring user groups

User Group - General tab

The User Group General tab is used to manage your users and their respective user group assignments.

Figure 43: User Group, General tab

All existing user groups are displayed in the Contents list. The highlighted user group is displayed in the General tab window.

Directory Name. - This is the unique User Group name. It is unique in that it is not duplicated anywhere within the VPN domain to which it is assigned.

Current Users. - This area contains the names of all individual Users currently assigned to this User Group. A second pane, titled Available Users, lists all existing VPN users. The left and right arrows are used to move the highlighted users from one column to the other.

Available Users. - This pane is a list of all available users. The highlighted user may be moved into the Current User Members list by using the left arrow. Only one default user can be added to a User Group.

User Group - Memo tab

Memo can be used to record notes about the User Group, such as change history, function of this group (such as all administrators, etc.). Information entered here is associated only with this User Group. This information is stored only in the database and not downloaded to the security gateways.

130 Avaya VPNmanager Configuration Guide Release 3.7