[vpn-help] VPN Access without Router Access on Adtran NetVanta 3448
Kevin VPN
kvpn at live.com
Tue Oct 11 19:38:30 CDT 2011
On 10/10/2011 10:27 AM, Dennis Seger wrote:
> As a new admin of both Shrewsoft VPN client and Adtran routers, I'm
> hoping you can provide some guidance.
>
> The setup is: Shrewsoft client 2.1.7 for Windows
> Adtran NetVanta 3448 Router (latest FW)
>
> The issue I need assistance with is when I follow the Shrew.net how
> to instructions for Adtran NetVanta setup it results in the VPN users
> having both VPN access and full admin access to the router.
>
> The Adtran config does have 'portal-lists' which allow control over
> which management interfaces (http, ssh, telnet, etc) a user can use.
> But if found that if I assign any type of portal-list configuration
> to a user, they can no longer make a VPN connection due to
> 'authentication failed'. It only works if portal-list is set to
> 'none'. I would like to maintain a dual-password (x-auth) security
> scheme (currently using preshared key and local Adtran user).
>
> I asked Adtran support about this issue and they said that the work
> around is to use Radius authentication for VPN users rather than
> 'local user' list (local and radius are the only choices). My client
> does not have a radius server and I'd like to avoid adding another
> network service just for VPN authentication if possible.
>
> Does anyone have suggestions or experience with allowing VPN access
> without also allowing router management access on NetVanta routers?
>
Hi Dennis,
Most of the firewalls that I've worked with have two separate user
groups that can be defined on the firewall: admin users and
locally-defined 'user' users. The administrative consoles check
authentication the admin user base and the VPN (and other services) use
the local user group.
It sounds like Adtran hasn't bothered to implement two groups, so you
simply may be stuck with the RADIUS option. From what I've heard,
setting up a simple FreeRADIUS server isn't that hard, but I think you
also need some other user store (like a passwd file or LDAP) for RADIUS
to query.
More information about the vpn-help
mailing list