Authentication Schemes and Certificates

To create a secure connection to the LAN from a remote location, users must authenticate themselves.

Endpoint Security VPN supports these authentication types:

  • Username and password

  • Certificate - Keychain (for Keychain certificates and Smart Cards)

  • Certificate - P12

  • SecurID - KeyFob

  • SecurID - PinPad

  • Challenge Response

Pre-Configuring Authentication Method

From the client, users can change how they authenticate to a VPN gateway. You can preconfigure the default authentication method in the gateway configuration file.

To configure default authentication for users of a site:

  1. On the gateway, open the $FWDIR/conf/trac_client_1.ttm file with a text editor.

  2. In the default_authentication_method section, change :default

    Correct values:

    • client_decide (the user selects, default)

    • username-password

    • certificate (for Keychain certificate)

    • p12-certificate

    • securIDKeyFob

    • securIDPinPad

    • challenge-response

    Note - For more information about the configuration file, see Understanding the Configuration File.

  3. Save the file and install the policy.

    When clients download the new policy from the gateway, configuration changes are applied.

Copy 
:default_authentication_method (
    :gateway (
    :map (
            :username-password (username-password)
            :challenge-response (challenge-response)
            :certificate (certificate)
            :p12-certificate (p12-certificate)
            :securIDKeyFob (securIDKeyFob)
            :securIDPinPad (securIDPinPad)
            :SoftID (SoftID)
            :SAA-username-password (SAA-username-password)
            :SAA-challenge-response (SAA-challenge-response)
            :client_decide (client_decide)
            )
    :default (p12-certificate)
    )
)

Users who configure the site for this gateway are not prompted to select an authentication method.