VPN Client User Guide for Mac OS X, Release 4.6 - Establishing a VPN Connection [Cisco VPN Client]

Table Of Contents

Establishing a VPN Connection

Checking Prerequisites

Establishing a Connection

Connecting to a Default Connection Entry

Choosing Authentication Methods

Shared Key Authentication

VPN Group Name and Password Authentication

RADIUS Server Authentication

SecurID Authentication

Using Digital Certificates

Establishing a VPN Connection

This chapter describes how to establish a VPN connection with a private network using the VPN Client and the user authentication methods supported by the VPN device that is providing your connection.

Checking Prerequisites

Before you can establish a VPN connection, you must have:

•At least one connection entry configured on the VPN Client. See "Configuring Connection Entries" for more information.

•User authentication information. This includes your username and password, and depending on the configuration of your connection entry, might also include:

–Passwords for RADIUS authentication

–VPN group name and password for connections to VPN devices

–PINs for RSA Data Security

–Digital certificates and associated passwords

•An Internet connection

Contact your network administrator for prerequisite information.

Establishing a Connection

To establish a VPN connection:

Step 1 Open the VPN Client application by double-clicking the VPN Client icon in the Applications folder. If you created an alias, you can double-click the VPN Client icon on the Desktop or in the dock (Figure 5-1).

Figure 5-1 VPN Client Icon

The main VPN Client window appears.

Figure 5-2 shows the VPN Client window in simple mode.

Figure 5-2 VPN Client Window—Simple Mode

Figure 5-3 shows the VPN Client window in advanced mode.

Figure 5-3 VPN Client Window—Advanced Mode

See "Navigating the User Interface" for more information on simple mode and advanced mode.

Step 2 From the Connection Entries tab, select the connection entry to use for this VPN session. For simple mode, select a connection entry from the drop-down list.

Step 3 Click Connect at the top of the VPN Client window or double-click the selected connection entry. For simple mode, click the Connect button.

Step 4 Respond to all user authentication prompts.

The user authentication prompts that appear depend on the configuration for this connection entry.

The status bar at the bottom of the main VPN Client window displays your connection status. When connected, the left side of the status bar indicates the connection entry name and the right side displays the amount of time that the VPN tunnel has been established.

Connecting to a Default Connection Entry

If you have configured a default connection entry (sometimes called default user or default profile), the VPN Client uses this connection entry when it starts. The name of this feature is Connect on Open. You can enable it on the Preferences menu, see "VPN Client Menu". An administrator configures this feature for you. For information, see the VPN Client Administrator Guide. For information on setting a connection entry to be the default, see "Creating a Connection Entry".

Choosing Authentication Methods

User authentication means proving that you are a valid user of this private network. User authentication is optional. Your network administrator determines whether user authentication is required.

The VPN Client supports:

•Shared key or VPN group name and group password for authenticating the VPN device

•Mutual group authentication, using a root certificate generally installed by your network administrator

•RADIUS server, RSA Security (SecurID), Digital Certificates for authenticating the user.

The authentication prompts displayed during the connection process depend on the configuration of your IPSec group. Refer to appropriate section in this chapter for more information on the user authentication method configured for each connection entry.

Note User names and passwords are case-sensitive. You have three opportunities to enter the correct information before an error message indicates that authentication failed. Contact your network administrator if you cannot pass user authentication.

The following sections describe each user authentication method that the VPN Client supports.

Shared Key Authentication

The shared key authentication method uses the username and shared key password for authentication (Figure 5-4). The shared key password must be the same as the shared key password configured on the VPN device that is providing the connection to the private network.

Figure 5-4 Shared Key Authentication

Enter your Username and Password and click OK.

VPN Group Name and Password Authentication

The VPN group login method uses your VPN group name and password for authentication (Figure 5-5). You can use VPN group authentication alone or with other authentication methods.

Figure 5-5 VPN Group Authentication

Enter your group name and password and click OK. The group name is the name of the IPSec group configured on the VPN device for this connection entry.

RADIUS Server Authentication

You can use RADIUS server authentication with VPN group authentication. With this type of authentication, two prompts appear. The first prompt is for the VPN group name and password, and the RADIUS user authentication prompt follows (Figure 5-6).

Figure 5-6 User Authentication for RADIUS

Enter your username and password and click OK.

Check the Save Password check box if you do not want to be prompted for your RADIUS password each time you start a VPN session using this connection entry.

Note If you cannot choose the Save Password option, your system administrator does not allow this option. If you can choose this option, be aware that using it might compromise system security, because your password is stored on your PC and is available to anyone who uses your PC.

If Save Password is checked and authentication fails, your password may be invalid. To eliminate a saved password, choose Erase User Password from the Connection Entries menu.

SecurID Authentication

RSA SecurID® authentication methods include physical RSA SecurID cards and keychain fobs, and PC software called RSA SecurID for passcode generation. RSA SecurID cards can vary. The passcode might be combination of a PIN and a card code, or you might be required to enter a PIN on the card to display the passcode. Ask your network administrator for the correct procedure.

When you use RSA SecurID passcodes for authentication:

•The process varies slightly for different operating systems.

•If you use physical RSA SecurID cards or keychain fobs, the VPN Client displays the appropriate RSA user authentication dialog box.

•If you use RSA SecurID for passcode generation, it must be running on your workstation.

In most configurations, you use RSA SecurID with VPN group authentication. With this type of authentication, two prompts appear. The first prompt is for the VPN group name and password, and the RSA SecurID user authentication prompt follows (Figure 5-7).

Figure 5-7 User Authentication for RSA SecurID

Enter your username and RSA SecurID passcode and click OK.

Using Digital Certificates

The VPN Client works with Certificate Authorities (CAs) that support SCEP, manual enrollment, or PKCS import.

Each time you establish a VPN connection using a certificate, the VPN Client verifies that your certificate is not expired.

•Valid— A message appears that indicates the validation period for this certificate.

•Expired—A warning appears that indicates when the certificate expired.

Each digital certificate is protected by a password. If the connection entry you are using requires a digital certificate for authentication, the VPN Certificate Authentication dialog box appears (Figure 5-8).

Figure 5-8 Certificate Password

Enter the certificate password and click OK.

For more information on digital certificates, see "Enrolling and Managing Certificates."

	VPN Client User Guide for Mac OS X, Release 4.6
	Establishing a VPN Connection
VPN Client User Guide for Mac OS X, Release 4.6 Index Preface Understanding the VPN Client Installing the VPN Client Navigating the User Interface Configuring Connection Entries Establishing a VPN Connection Enrolling and Managing Certificates Managing the VPN Client	Download this chapter Establishing a VPN Connection Download the complete book VPN Client User Guide for Mac OS X, Release 4.6 (PDF - 2 MB) Table Of Contents Establishing a VPN Connection Checking Prerequisites Establishing a Connection Connecting to a Default Connection Entry Choosing Authentication Methods Shared Key Authentication VPN Group Name and Password Authentication RADIUS Server Authentication SecurID Authentication Using Digital Certificates Establishing a VPN Connection This chapter describes how to establish a VPN connection with a private network using the VPN Client and the user authentication methods supported by the VPN device that is providing your connection. Checking Prerequisites Before you can establish a VPN connection, you must have: •At least one connection entry configured on the VPN Client. See "Configuring Connection Entries" for more information. •User authentication information. This includes your username and password, and depending on the configuration of your connection entry, might also include: –Passwords for RADIUS authentication –VPN group name and password for connections to VPN devices –PINs for RSA Data Security –Digital certificates and associated passwords •An Internet connection Contact your network administrator for prerequisite information. Establishing a Connection To establish a VPN connection: Step 1 Open the VPN Client application by double-clicking the VPN Client icon in the Applications folder. If you created an alias, you can double-click the VPN Client icon on the Desktop or in the dock (Figure 5-1). Figure 5-1 VPN Client Icon The main VPN Client window appears. Figure 5-2 shows the VPN Client window in simple mode. Figure 5-2 VPN Client Window—Simple Mode Figure 5-3 shows the VPN Client window in advanced mode. Figure 5-3 VPN Client Window—Advanced Mode See "Navigating the User Interface" for more information on simple mode and advanced mode. Step 2 From the Connection Entries tab, select the connection entry to use for this VPN session. For simple mode, select a connection entry from the drop-down list. Step 3 Click Connect at the top of the VPN Client window or double-click the selected connection entry. For simple mode, click the Connect button. Step 4 Respond to all user authentication prompts. The user authentication prompts that appear depend on the configuration for this connection entry. The status bar at the bottom of the main VPN Client window displays your connection status. When connected, the left side of the status bar indicates the connection entry name and the right side displays the amount of time that the VPN tunnel has been established. Connecting to a Default Connection Entry If you have configured a default connection entry (sometimes called default user or default profile), the VPN Client uses this connection entry when it starts. The name of this feature is Connect on Open. You can enable it on the Preferences menu, see "VPN Client Menu". An administrator configures this feature for you. For information, see the VPN Client Administrator Guide. For information on setting a connection entry to be the default, see "Creating a Connection Entry". Choosing Authentication Methods User authentication means proving that you are a valid user of this private network. User authentication is optional. Your network administrator determines whether user authentication is required. The VPN Client supports: •Shared key or VPN group name and group password for authenticating the VPN device •Mutual group authentication, using a root certificate generally installed by your network administrator •RADIUS server, RSA Security (SecurID), Digital Certificates for authenticating the user. The authentication prompts displayed during the connection process depend on the configuration of your IPSec group. Refer to appropriate section in this chapter for more information on the user authentication method configured for each connection entry. Note User names and passwords are case-sensitive. You have three opportunities to enter the correct information before an error message indicates that authentication failed. Contact your network administrator if you cannot pass user authentication. The following sections describe each user authentication method that the VPN Client supports. Shared Key Authentication The shared key authentication method uses the username and shared key password for authentication (Figure 5-4). The shared key password must be the same as the shared key password configured on the VPN device that is providing the connection to the private network. Figure 5-4 Shared Key Authentication Enter your Username and Password and click OK. VPN Group Name and Password Authentication The VPN group login method uses your VPN group name and password for authentication (Figure 5-5). You can use VPN group authentication alone or with other authentication methods. Figure 5-5 VPN Group Authentication Enter your group name and password and click OK. The group name is the name of the IPSec group configured on the VPN device for this connection entry. RADIUS Server Authentication You can use RADIUS server authentication with VPN group authentication. With this type of authentication, two prompts appear. The first prompt is for the VPN group name and password, and the RADIUS user authentication prompt follows (Figure 5-6). Figure 5-6 User Authentication for RADIUS Enter your username and password and click OK. Check the Save Password check box if you do not want to be prompted for your RADIUS password each time you start a VPN session using this connection entry. Note If you cannot choose the Save Password option, your system administrator does not allow this option. If you can choose this option, be aware that using it might compromise system security, because your password is stored on your PC and is available to anyone who uses your PC. If Save Password is checked and authentication fails, your password may be invalid. To eliminate a saved password, choose Erase User Password from the Connection Entries menu. SecurID Authentication RSA SecurID® authentication methods include physical RSA SecurID cards and keychain fobs, and PC software called RSA SecurID for passcode generation. RSA SecurID cards can vary. The passcode might be combination of a PIN and a card code, or you might be required to enter a PIN on the card to display the passcode. Ask your network administrator for the correct procedure. When you use RSA SecurID passcodes for authentication: •The process varies slightly for different operating systems. •If you use physical RSA SecurID cards or keychain fobs, the VPN Client displays the appropriate RSA user authentication dialog box. •If you use RSA SecurID for passcode generation, it must be running on your workstation. In most configurations, you use RSA SecurID with VPN group authentication. With this type of authentication, two prompts appear. The first prompt is for the VPN group name and password, and the RSA SecurID user authentication prompt follows (Figure 5-7). Figure 5-7 User Authentication for RSA SecurID Enter your username and RSA SecurID passcode and click OK. Using Digital Certificates The VPN Client works with Certificate Authorities (CAs) that support SCEP, manual enrollment, or PKCS import. Each time you establish a VPN connection using a certificate, the VPN Client verifies that your certificate is not expired. •Valid— A message appears that indicates the validation period for this certificate. •Expired—A warning appears that indicates when the certificate expired. Each digital certificate is protected by a password. If the connection entry you are using requires a digital certificate for authentication, the VPN Certificate Authentication dialog box appears (Figure 5-8). Figure 5-8 Certificate Password Enter the certificate password and click OK. For more information on digital certificates, see "Enrolling and Managing Certificates."
	© 1992-2008 Cisco Systems, Inc. All rights reserved. Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks of Cisco Systems, Inc.