Netgear Netgar VPN FIrewall FVS336Gv2 Reference Manual
Have a look at the manual Netgear Netgar VPN FIrewall FVS336Gv2 Reference Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 137 Netgear manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Manage Users, Authentication, and VPN Certificates 489 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 •Remove One or More Authentication Domains Authentication Domains Overview An authentication domain specifies the authentication method for users that are assigned to the domain. For SSL connections, the domain also determines the portal layout that is presented, which in turn determines the network resources to which the associated users have access. The default domain of the VPN firewall is named geardomain. You cannot change or remove the default domain. Add an Authentication Domain The following procedure describes how to add a new authentication domain. To add an authentication domain: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select Users > Domains. The Domains screen displays. The following figure shows the VPN firewall’s default domain—geardomain—and, as an example, other domains in the List of Domains table.
Manage Users, Authentication, and VPN Certificates 490 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The List of Domains table lists the following information: •Check box. Allows you to select the domain in the table. •Domain Name. The name of the domain. The name of the default domain (geardomain) to which the default SSL-VPN portal is assigned is appended by an asterisk. •Authentication Type. The authentication method that is assigned to the domain. •Portal Layout Name. The SSL portal layout that is assigned to the domain. •Action. The Edit button, which provides access to the Edit Domain screen. 7. Under the List of Domains table, click the Add button. The Add Domain screen displays. 8. Enter the settings as described in the following table.
Manage Users, Authentication, and VPN Certificates 491 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 SettingDescription Domain Name A descriptive (alphanumeric) name of the domain for identification and management purposes. Note:If you leave the Domain Name field blank, the SSL VPN Wizard uses the default domain name geardomain. To enable the SSL VPN Wizard to create a domain, you must enter a name other than geardomain in the Domain Name field. Authentication Type Note:If you select any type of RADIUS authentication, make sure that you configure one or more RADIUS servers (see Configure the RADIUS Servers for the VPN Firewall’s RADIUS Client on page 392).From the menu, select the authentication method that the VPN firewall applies: • Local User Database (default). Users are authenticated locally on the VPN firewall. This is the default setting. You do not need to complete any other fields on this screen. • Radius-PAP. RADIUS Password Authentication Protocol (PAP). Complete the Authentication Server and Authentication Secret fields. • Radius-CHAP. RADIUS Challenge Handshake Authentication Protocol (CHAP). Complete the Authentication Server and Authentication Secret fields. • Radius-MSCHAP. RADIUS Microsoft CHAP. Complete the Authentication Server and Authentication Secret fields. • Radius-MSCHAPv2. RADIUS Microsoft CHAP version 2. Complete the Authentication Server and Authentication Secret fields. • WIKID-PAP. WiKID Systems PAP. Complete the Authentication Server and Authentication Secret fields. • WIKID-CHAP. WiKID Systems CHAP. Complete the Authentication Server and Authentication Secret fields. • MIAS-PAP. Microsoft Internet Authentication Service (MIAS) PAP. Complete the Authentication Server and Authentication Secret fields. • MIAS-CHAP. Microsoft Internet Authentication Service (MIAS) CHAP. Complete the Authentication Server and Authentication Secret fields. • NT Domain. Microsoft Windows NT Domain. Complete the Authentication Server and Workgroup fields. • Active Directory. Microsoft Active Directory. Complete the Authentication Server and Active Directory Domain fields. • LDAP. Lightweight Directory Access Protocol (LDAP). Complete the Authentication Server and LDAP Base DN fields. Portal The portal that is assigned to this domain and that is presented to the user to enter credentials. The default portal is SSL-VPN. Authentication ServerThe server IP address or server name of the authentication server for any type of authentication other than authentication through the local user database. Authentication SecretThe authentication secret or password that is required to access the authentication server for RADIUS, WiKID, or MIAS authentication. Workgroup The workgroup that is required for Microsoft NT Domain authentication.
Manage Users, Authentication, and VPN Certificates 492 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 9. Click the Apply button. Your settings are saved. The domain is added to the List of Domains table. 10. If you use local authentication, make sure that it is not disabled: In the Local Authentication section of the Domain screen, select the No radio button. Note:The VPN firewall supports a combination of local and external authentication. WARNING: If you disable local authentication, make sure that there is at least one external administrative user; otherwise, access to the VPN firewall is blocked. 11. If you do change local authentication, click the Apply button. Your settings are saved. Change an Authentication Domain The following procedure describes how to change an authentication domain. However, you cannot change the domain name and type of authentication. Note:You cannot change the default domain geardomain. To change an authentication domain: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. LDAP Base DN The LDAP distinguished name (DN) that is required to access the LDAP authentication server. This must be a user in the LDAP directory who has read access to all the users that you want to import into the VPN firewall. The LDAP Base DN field accepts two formats: • A display name in the DN format. For example: cn=Jamie Hanson,cn=users,dc=test,dc=com. • A Windows login account name in email format. For example: [email protected]. This last type of bind DN can be used only for a Windows LDAP server. Active Directory DomainThe Active Directory domain name that is required for Microsoft Active Directory authentication. SettingDescription
Manage Users, Authentication, and VPN Certificates 493 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select Users > Domains. The Domains screen displays. 7. In the List of Domains table, click the Edit button for the domain that you want to change. The Edit Domains screen displays. 8. Change the settings. For more information about the settings, see Add an Authentication Domain on page 489. 9. Click the Apply button. Your settings are saved. The modified domain displays in the List of Domains table on the Domains screen. Remove One or More Authentication Domains The following procedure describes how to remove one or more domains that you no longer need. However, if a domain has users assigned to it, you first must assign the users to another domain; otherwise, you cannot remove the domain (see Change a User Account on page 502). Note:You cannot remove the default domain geardomain. To remove one or more authentication domains: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays.
Manage Users, Authentication, and VPN Certificates 494 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select Users > Domains. The Domains screen displays. 7. In the List of Domains table, select the check box to the left of each domain that you want to remove or click the Select All button to select all domains. 8. Click the Delete button. The selected domains are removed from the List of Domains table. Manage Authentication Groups The following sections provide information about managing authentication groups: •Authentication Groups Overview •Add an Authentication Group •Change an Authentication Group •Remove One or More Authentication Groups Authentication Groups Overview The use of groups simplifies the configuration of VPN policies when different sets of users have different restrictions and access controls. It also simplifies the configuration of web access exception rules. Like the default domain of the VPN firewall, the default group is also named geardomain. The default group geardomain is assigned to the default domain geardomain. You cannot remove the default domain geardomain, nor its associated default group geardomain. IPSec VPN, L2TP, and PPTP users do not belong to a domain and are not assigned to a group.
Manage Users, Authentication, and VPN Certificates 495 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 IMPORTANT: When you add a domain, the VPN firewall creates a group with the same name as the new domain automatically. You cannot remove such a group. However, when you remove the domain with which the group is associated, the group is removed automatically. Note:Authentication groups are different from LAN groups that you use to simplify firewall policies. For information about LAN groups, see Manage IPv4 LAN Groups and Hosts on page 132. Add an Authentication Group The following procedure describes how to manually add an authentication group. To add a group: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select Users > Groups. The Groups screen displays. The following figure shows the VPN firewall’s default group—geardomain—and, as an example, several other groups in the List of Groups table.
Manage Users, Authentication, and VPN Certificates 496 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The List of Groups table lists the following information: •Check box. Allows you to select the group in the table. •Name. The name of the group. The name of the default group (geardomain) that is assigned to the default domain (also geardomain) is appended by an asterisk. •Domain. The name of the domain to which the group is assigned. •Action. The Edit button, which provides access to the Edit Group screen. 7. Under the List of Groups table, click the Add button. The Add Group screen displays. 8. Enter the settings as described in the following table. 9. Click the Apply button. Your settings are saved. The new group is added to the List of Groups table. SettingDescription Name A descriptive (alphanumeric) name of the group for identification and management purposes. Domain The menu shows the domains that are listed on the Domain screen. From the menu, select the domain with which you want to associate the group. For information about how to configure domains, see Manage Authentication Domains on page 488. Idle Timeout The period after which an idle user is automatically logged out of the VPN firewall’s web management interface. The default idle time-out period is 10 minutes.
Manage Users, Authentication, and VPN Certificates 497 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Change an Authentication Group For a group that was automatically created when you added an authentication domain, you can modify only the idle time-out settings but not the group name or associated domain. For groups that you created manually, you can modify the domain and the idle time-out settings but not the group name. To change an authentication group: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select Users > Groups. The Groups screen displays. 7. In the List of Groups table, click the Edit button for the group that you want to change. The Edit Groups screen displays. 8. Change the settings. For more information about the settings, see Add an Authentication Group on page 495. 9. Click the Apply button. Your settings are saved. The modified group displays in the List of Groups table on the Groups screen. Remove One or More Authentication Groups You can remove only an authentication group that you created manually. You cannot remove a group that was automatically created when you added an authentication domain. However, when you remove the domain with which the group is associated, the group is removed automatically.
Manage Users, Authentication, and VPN Certificates 498 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 For a group that you created manually, if the group has users assigned to it, you first must assign the users to another group; otherwise, you cannot remove the group (see Change a User Account on page 502). Note:You cannot remove the default group geardomain. To remove one or more authentication groups: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select Users > Groups. The Groups screen displays. 7. In the List of Groups table, select the check box to the left of each group that you want to remove or click the Select All button to select all groups. 8. Click the Delete button. The selected groups are removed from the List of Groups table. Manage User Accounts The following sections provide information about managing user accounts: •User Accounts Overview •Add a User Account •Change a User Account •Remove One or More User Accounts