Extended Authentication (Xauth)


Overview

The firewall supports the Extended Authentication (Xauth) feature within the IKE protocol. Xauth lets you deploy IPSec VPNs using TACACS+ or RADIUS as the user authentication method.

This feature, which is designed for VPN clients, provides a user authentication by prompting the user for username and password and verifies them with the information stored in the TACACS+ or RADIUS database. Xauth is negotiated between IKE Phase 1 ( IKE device authentication phase) and IKE
Phase 2 IPSec(SA negotiation phase). If the Xauth fails, the IPSec security association will not be established and the IKE security association will be deleted.

The IKE Mode Config feature also is negotiated between these IKE Phase 1 and 2. If both features are configured, Xauth is performed first.

The Xauth feature is optional and is enabled using the crypto map map-name client authentication aaa-group-tag command. AAA has to be configured on the firewall using the aaa-server group_tag (if_name) host server_ip key timeout seconds command before Xauth is enabled. Use the same AAA server name within the aaa-server and crypto map client authentication command statements.


Making an Exception to Xauth for Security Gateways

If you have both security gateway and VPN client peers terminating on the same interface, and have the Xauth feature configured, configure the firewall to make an exception to this feature for the security gateway peer. With this exception, the firewall will not challenge the security gateway peer for a username and password. The command that you employ to make an exception to the Xauth feature depends on the authentication method you are using within the IKE policies.

IKE authentication method no-xauth Related Command to Use
pre-share key isakmp key keystring address ip-address [netmask] [no-xauth] [no-config-mode]
rsa signatures isakmp peer fqdn fqdn [no-xauth] [no-config-mode]


Extended Authentication Configuration

Follow these steps to configure Xauth on the firewall:

  1. Set up the basic AAA Server:
    aaa-server group_tag (if_name) host server_ip key

    For example:

    aaa-server TACACS+ (outside) host 10.0.0.2 secret123

    This example specifies that the authentication server with the IP address 10.0.0.2 resides on the outside interface and is in the default TACACS+ server group. The key "secret123" is used between the firewall and the TACACS+ server for encrypting data between them.

  2. Enable Xauth. Be sure to specify the same AAA server group tag within the crypto map client authentication command statement as was specified in the aaa-server command statement.
    crypto map map-name client authentication aaa-group-tag

    For example:

    crypto map mymap client authentication TACACS+

    In this example, Xauth is enabled at the crypto map "mymap" and the server specified in the TACACS+ group will be used for user authentication.

  3. (Optional) Perform this step for each security gateway that shares the same interface as the VPN client(s) and is configured to use a pre-share key. This steps allows the firewall to make an exception to the Xauth feature for the given security gateway.
    isakmp key keystring address ip-address [netmask mask] [no-xauth] [no-config-mode]

    For example:

    isakmp key secretkey1234 address 10.2.2.2 netmask 255.255.255.255 no-xauth

  4. (Optional) Perform this step for each security gateway that shares the same interface as the VPN client(s) and is configured to use RSA-signatures. This step allows the firewall to make an exception to the Xauth feature for the given security gateway.
    isakmp peer fqdn fqdn [no-xauth] [no-config-mode]

    For example:

    isakmp peer fqdn hostname1.example.com no-xauth