VPN builds an enterprise's own private network on the Internet, making it feasible and safe to access enterprise information resources from anywhere on the Internet. VPN can be roughly divided into three types: Intranet VPN, exclusive VPN And Remote Access VPN. Due to its strong mobility, low investment in construction, and low operating costs, remote access VPN can be accessed through PSTN, xDSL, Cable Modem, and other methods, which is widely used.
As an effective VPN management system, network administrators should be able to track and master the following situations at any time: users of the system, number of connections, abnormal activities, and error situations. Logging and real-time information are helpful for fee recording, auditing, alarms, and other error messages. For example, network administrators need to know who is using the system and how long it takes to prepare billing data. Abnormal activities may indicate incorrect use of the system or insufficient system resources. RADIUS is a lightweight protocol based on UDP protocol. It provides user authentication and billing. Currently, RADIUS supports the following authentication methods: ① user name and password authentication; ② PAP authentication; ③ CHAP authentication. RADIUS is composed of two parts: the client and the server. The client sends authentication and billing requests to the server. The server sends back and receives or denies messages to the client. Communication between the client and the server is used to share key encryption.
The yanyang Security VPN system supports standard IPSEC and IKE protocols. Based on this, it makes some extensions and uses RADIUS to authenticate and keep accounts for remote access users. In the authentication and accounting process, the system not only Implements user name/password and PAP authentication, but also supports certificate-based strong authentication, with the following features:
1. the RADIUS Authentication Server is extended based on the framework of the authentication, and the vendor attributes of Yiyang are extended in the vendor attributes;
2. Use the Active Directory technology to store Remote Access Users and access policies;
3. An internal IP address pool is implemented to allocate the Intranet address of the enterprise network for remote users so that remote users can easily access information resources within the enterprise;
4. implements billing management for remote access users;
5. implements Security Auditing for Remote Access Users, and monitors and blocks them in real time;
6. asynchronous communication with RADIUS ensures that multiple IKE negotiation can be performed simultaneously;
7. added the IKE configuration switch to configure the Intranet address for remote user negotiation.
With the development of technology, new authentication methods will emerge, making user management more convenient and safer.