onfigure RADIUS Server Authentication with Active

Directory Users and Groups For Mobile VPN Users

When you use Mobile VPN with L2TP or Mobile VPN with PPTP to authenticate users to your network, you can
use the user accounts from your Active Directory server database to authenticate users with your
RADIUS server and the RADIUS protocol. You must configure the Mobile VPN settings on your XTM device to
enable RADIUS authentication, configure your RADIUS server to get user credentials from your Active
Directory database, and configure your Active Directory and RADIUS servers to communicate with your
XTM device.

Before You Begin

Before you configure your XTM device to use your Active Directory and RADIUS servers to authenticate your
Mobile VPN with L2TP or Mobile VPN with PPTP users, make sure that the settings described in this section
are configured on your RADIUS and Active Directory servers. Windows 2008 and 2003 Server are the
supported RADIUS server platforms.

For complete instructions to configure your RADIUS server or Active Directory server, see the vendor
documentation for each server.

Configure NPS for a Windows 2008 Server

In Windows 2008 Server Manager, make sure NPS is installed with a Network Policy and Access
Service role that uses the Network Policy Server role service.

Add a New Radius Client to NPS that includes the IP address of your XTM device, uses the RADIUS
Standard vendor, and set a manual shared secret for the RADIUS client and XTM device.

Add a network policy with these settings:

o Select the Active Directory user group that includes the users you want to authenticate with Mobile
VPN with L2TP or Mobile VPN with PPTP.

o Specify Access granted as the access permissions for the policy, and do not specify an EAP type.

o Add the attribute Filter-ID to the policy and specify L2TP-Users or PPTP-Users as the value. Make
sure to remove Framed Protocol and Service-Type from the Attributes list.

Configure IAS for a Windows 2003 Server

On your Windows 2003 Server, make sure that the Internet Authentication Service (IAS) networking
service is installed.

In the IAS console, add a new RADIUS client for your XTM device that uses the device name and IP
address of your XTM device for the Friendly name and Client address. Make sure to select the
RADIUS Standard for the Client-Vendor value and set a shared secret for the RADIUS client and
XTM device.

From the IAS console, add a custom new remote access policy with these settings:
 o Add the Windows-Group attribute to the policy.

o Select the Active Directory user group that includes the users you want to authenticate with Mobile
VPN with L2TP or Mobile VPN with PPTP.

o For the permissions setting, specify Grant remote access permission.

o Add the attribute Filter-ID to the policy and specify L2TP-Users or PPTP-Users as the value.

Configure Active Directory Settings

When you configure these settings for your Active Directory server, you enable your RADIUS server to contact
your Active Directory server for the user credentials and group information stored in your Active Directory
database.

In Active Directory Users and Computers on your Active Directory server, make sure that the remote
access permissions are configured to Allow access to users.

Register NPS or IAS to your Active Directory server.

Enable Active Directory Behind a RADIUS Server Authentication for

Mobile VPN on Your XTM Device
Before your users can use Mobile VPN with L2TP or Mobile VPN with PPTP to authenticate to your network
with their Active Directory credentials, you must enable your XTM device to use a RADIUS server for Mobile
VPN with L2TP or Mobile VPN with PPTP authentication.

Before you configure the Mobile VPN with L2TP or Mobile VPN with PPTP settings, make sure that you have
added your RADIUS server to the Authentication Servers list on your XTM device. The RADIUS server must
have the same IP address and shared secret that you specified when you configured the NPS or IAS settings
for your RADIUS server.

For more information about how to add a RADIUS authentication server, see Configure RADIUS Server
Authentication.

Configure Mobile VPN with L2TP Settings

By default, Firebox-DB is the selected server for authentication. When you configure Mobile VPN to use your
RADIUS server, you can use Firebox-DB for a secondary authentication database if the RADIUS server is not
available.

To enable RADIUS server authentication for Mobile VPN with L2TP users:

1. From Policy Manager, select VPN > Mobile VPN > L2TP > Configure.
The Mobile VPN with L2TP Configuration dialog box appears.

2. Select the Authentication tab.

3. In the Authentication Server list, select the check box for your RADIUS server.

4. If the RADIUS server is not the first server in the Authentication Server list, click Make Default.
The RADIUS server moves to the top of the list.
 5. To only use the RADIUS server for authentication, clear the Firebox-DB check box.

6. In the Authorized Users and Groups list, make sure the L2TP-Users group appears.
The Authentication Server can be Any or RADIUS.

7. Make any additional changes to the Mobile VPN with L2TP configuration.

For more information about how to configure the settings for Mobile VPN with L2TP, see Edit the Mobile
VPN with L2TP Configuration.

Configure Mobile VPN with PPTP Settings

To enable RADIUS server authentication for Mobile VPN with PPTP users:

1. Select VPN > Mobile VPN > PPTP.

The Mobile VPN with PPTP Configuration dialog box appears.

2. Select the Use RADIUS to authenticate Mobile VPN with PPTP users check box

For more information about how to configure the settings for Mobile VPN with PPTP, see Configure Mobile
VPN with PPTP.

See Also

About L2TP User Authentication

Edit the Mobile VPN with L2TP Configuration

Configure Mobile VPN with PPTP