This article will show you how to configure user authentication via IPSec site-to-site VPN using RADIUS (or Active Directory [AD]). This makes the clients on Site A to authenticate themselves for network access using Site B's authentication server.
Table of Content
1) Configure Site A - USG Firewall
1.1 Setup the Web Portal
1.2 Configure the RADIUS Group
1.3 Set the RADIUS Server
1.4 Configure a Static Route for the clients to reach the RADIUS server
2) Configure Site B - USG Firewall
2.1 Configure Trusted Clients on Remote Subnet
2.2 Configure a Static Route for the clients to reach the RADIUS server
3) Test the Result
Scenario:
We have two USGs connected via VPN Tunnel - we know want clients on Site A (USG60) to authenticate on the remote Site B (USG40).
1) Configure Site A - USG Firewall
1.1 Setup the Web Portal
Set the Web Portal that LAN2 clients have to authenticate via Web Portal
1.2 Configure the RADIUS Group
Set Configuration > Object > Auth. Method to "group RADIUS", because the clients web portal access request refers internally to RADIUS port 1812
1.3 Set the RADIUS Server
Set under Configuration > Object > AAA Server > RADIUS the Radius Server to the Remote USGs local gateway and set a Secret (important for next steps on USG40).
1.4 Configure a Static Route for the clients to reach the RADIUS server
Under Configuration > Network > Routing > Static Route, set a static route which is pushing traffic going to the RADIUS Server IP (the remote USG local gateway IP) via your local gateway interface. This will make sure that the request of your client, which by the former set AAA Server object now reaches out to 192.168.1.1 will be properly forwarded.
2) Configure Site B - USG Firewall
2.1 Configure Trusted Clients on Remote Subnet
Set under Configuration > System > Auth. Server a trusted client by using the now remote (USG60 !) local gateway interface. Server IP ist the now remote gateway IP, in this case 192.168.11.1 , use the secret you formerly set in AAA Server settings under step 3.
2.2 Configure a Static Route for the clients to reach the RADIUS server
Add under Configuration > Network > Routing > Static Route a static route from USG40 which pushes traffic to USG60 remote local gateway (192.168.11.1) through USG40 local gateway 192.168.1.1. That way, you make sure that the RADIUS Authentication Accept Message get's back to the USG60, where the USG60 is keeping the client from accessing internet until USG40 accepts the request.
3) Test the Result
KB-00192