User Authentication

For IPSec subscribers, user authentication occurs in two phases. The first phase is an IPSec-level authentication (phase 1 or IKE authentication). Sometimes referred to as “ machine” authentication, because the user PC is authenticated, the first authentication phase verifies private or preshared keys that reside on the PC. These keys are not easily moved from one PC to another and do not require user entry each time authentication is performed.

Depending on the IKE phase 1 exchange, restrictions on the authentication type or the access network setup might exist. To avoid any usage problems, keep the following in mind:

• If you are configuring a VPN where users perform preshared key IPSec authentication and use the IKE main mode exchange for phase 1, you must setup the access network such that the VPN has an exclusive local IP address.
• If you want to share a single server address on the access network for more than one VPN, you must either set the clients to use IKE aggressive mode or use a public and private key pair for authentication. This authentication type includes X.509v3 certificates).

After the IPSec-level authentication takes place, a user authentication occurs. Often considered a legacy form of authentication, the user authentication (like RADIUS) typically requires the user to enter information in the form of a username and password.

Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice.