No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

HUAWEI SecoClient User Access Guide

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Establishing a VPN Connection

Establishing a VPN Connection

After a VPN connection is configured, the connection name is displayed in the Connection drop-down list on the main page of the SecoClient.

  1. You can select the connection name and try Initiating a VPN Connection.
  2. After a VPN tunnel is established, the peer gateway needs to authenticate your identity. For details, see User Identity Authentication. After authentication succeeds, your mobile device will obtain an intranet address. Then, you can securely access intranet resources through the device.

    Currently, the SecoClient supports the following user identity authentication modes. The authentication mode that you can use depends on the configuration on the peer gateway.

    Before establishing a VPN connection, confirm the identity authentication mode with your enterprise network administrator and obtain necessary authentication information such as the user name, password, and certificate from the administrator.

Initiating a VPN Connection

After the VPN connection is configured, you can initiate a VPN connection and establish a VPN tunnel.

Before You Start

  • Before initiating a VPN connection, ensure that the parameter settings in the VPN connection configuration are complete and correct.
  • If you configure a VPN connection by importing a configuration file, access the configuration modification page and check that every mandatory item has been set.

Procedure

  1. Select the configured VPN connection from the Connect drop-down list on the main interface of the SecoClient.
  2. Click Connect to initiate a VPN connection request.

Follow-Up Procedure

  • After a VPN tunnel is established, the peer gateway needs to authenticate your identity. For details, see User Identity Authentication. After authentication succeeds, your mobile device will obtain an intranet address. Then, you can securely access intranet resources through the device.
  • If an error occurs during the connection, rectify the fault by referring to Connection Faults.
  • lternatively, you can go back to Getting Started and perform subsequent configurations by referring to the task map.

User Identity Authentication

After you initiate a VPN connection request through the SecoClient, the peer gateway returns a user identity authentication request. After authentication succeeds, your mobile device will obtain an intranet address. Then, you can securely access intranet resources through the device.

Currently, the SecoClient supports four user identity authentication modes. The authentication modes require different authentication information. You need to confirm the identity authentication mode with your enterprise network administrator and obtain necessary authentication information such as the user name, password, and certificate from the administrator.

If you have specified the identity authentication mode to be used and obtained the corresponding authentication information, perform the following operations to authenticate the user identity:

User Name/Password Authentication

User name/password authentication is the most commonly used authentication mode.

Before You Start

Obtain the following information required for user name/password authentication from your enterprise network administrator:

  1. Valid user name
  2. Password corresponding to the user name
NOTE:

You can also use the configuration and connection templates in Appendix to check whether the obtained authentication information is complete.

The following table lists the support for user name/password authentication in different OSs and VPN types.

Table 5-1 Support for user name/password authentication

VPN Type/OS

Windows

Mac OS

Linux

SSL VPN

Y

Y

Y

L2TP VPN

Y

Y

L2TP over IPSec VPN

Y

Y

Y

Procedure

  1. Initiate a VPN connection request. The user name/password authentication page is displayed.
  2. Enter the user name and password and click Login.
  3. If the authentication succeeds, the device successfully connects to the intranet. The message "The Connection is successful" or "negotiation succeeded" is displayed.

Follow-Up Procedure

  • If you need to perform two-factor authentication, see Two-Factor Authentication.
  • If the authentication or VPN connection fails, rectify the fault by referring to Connection Faults.
  • If your device successfully connects to the intranet, you can try to access resources in the intranet. If the resources cannot be accessed, rectify the fault by referring to Service Faults.
  • Alternatively, you can return to Getting Started to view other content on the task map.

Authentication by Importing the PKI Digital Certificate

You can install the PKI digital certificate provided by your enterprise network administrator to your mobile device and log in to the VPN gateway through certificate authentication. In SSL VPN scenarios, PKI digital certificate-anonymous authentication and PKI digital certificate-challenge authentication are supported.

Before You Start

Obtain the following information required for PKI digital certificate authentication from your enterprise network administrator:

  1. Valid PKI digital certificate
  2. Login password corresponding to the user name extracted from the certificate (required only in PKI digital certificate-challenge authentication mode)
  3. Login user name and password (required only in the L2TP over IPSec VPN scenario)
NOTE:

You can also use the configuration and connection templates in Appendix to check whether the obtained authentication information is complete.

The following table lists the support for PKI digital certificate authentication in different OSs and VPN types.

Table 5-2 Support for PKI digital certificate authentication

VPN Type/OS

Windows

Mac OS

Linux

SSL VPN (certificate-anonymous authentication)

Y

Y

Y

SSL VPN (certificate-challenge authentication)

Y

Y

Y

L2TP VPN

N

N

N

L2TP over IPSec VPN

Y

Y

N

Procedure

  1. Import the PKI digital certificate to your mobile device.

    • In the Windows certificate authentication scenario, import the certificate to the Internet Explorer.
    • In the MAC certificate authentication scenario, import the certificate to Credential.
    • In the Linux certificate authentication scenario, save the certificate in the Certificate folder in the main directory.

  2. Double-click the certificate to install it as prompted.
  3. Initiate a VPN connection request. The certificate authentication page is displayed.
  4. In the Certificate list, select the imported PKI digital certificate. If the SSL VPN certificate-challenge authentication mode is used, enter the login password corresponding to the user name extracted from the certificate. For an L2TP over IPSec VPN connection, you need to enter the user name and password. Then, click Login.
  5. If the authentication succeeds, the device successfully connects to the intranet. The message "The Connection is successful" or "negotiation succeeded" is displayed.

Follow-Up Procedure

  • If you need to perform two-factor authentication, see Two-Factor Authentication.
  • If the authentication or VPN connection fails, rectify the fault by referring to Connection Faults.
  • After your device successfully connects to the intranet, you can try to access resources in the intranet. If the resources cannot be accessed, rectify the fault by referring to Service Faults.
  • Alternatively, you can return to Getting Started to view other content on the task map.

USB Key Authentication

You can insert the USB key device provided by your enterprise network administrator into the USB port of your mobile device and use the certificate in the USB key for identity authentication. USB key certificate-anonymous authentication and USB key certificate-challenge authentication are supported in SSL VPN scenarios. In the L2TP over IPSec VPN scenario, if IPSec Identity Authentication Mode is set to USB Key Digital Signature Authentication, USB key certificate authentication is used.

Before You Start

Obtain the following information required for USB key certificate authentication from your enterprise network administrator:

  1. USB key device, driver, and PIN
  2. Login password corresponding to the user name extracted from the certificate (This password is required only in USB key certificate-challenge authentication mode.)
  3. Login user name and password (required only in the L2TP over IPSec VPN scenario)
NOTE:

You can also use the configuration and connection templates in Appendix to check whether the obtained authentication information is complete.

The following table lists the support for USB key certificate authentication in different OSs and VPN types.

Table 5-3 Support for USB key certificate authentication

VPN Type/OS

Windows

Mac OS

Linux

SSL VPN (certificate-anonymous authentication)

Y

N

N

SSL VPN (certificate-challenge authentication)

Y

N

N

L2TP VPN

N

N

N

L2TP over IPSec VPN

Y

N

N

Procedure

  1. Insert the USB key into the USB port of your mobile device and install the USB key driver.
  2. Initiate a VPN connection request. The certificate authentication page is displayed.
  3. In the Certificate list, select the identified USB key certificate. If the SSL VPN certificate-challenge authentication mode is used, enter the login password corresponding to the user name extracted from the certificate. For an L2TP over IPSec VPN connection, you need to enter the user name and password. Then, click Login.
  4. In the displayed dialog box, enter the PIN of the USB key device and click OK.
  5. If the authentication succeeds, the device successfully connects to the intranet. The message "The Connection is successful" or "negotiation succeeded" is displayed.

Follow-Up Procedure

  • If you need to perform two-factor authentication, see Two-Factor Authentication.
  • If the authentication or VPN connection fails, rectify the fault by referring to Connection Faults.
  • After your device successfully connects to the intranet, if you can access the resources in the intranet but cannot access the Internet, rectify the fault by referring to Service Faults.
  • Alternatively, you can return to Getting Started to view other content on the task map.

Two-Factor Authentication

In SSL VPN scenarios, the client supports two-factor authentication. That is, the client uses a dynamic token or SMS verification code to perform secondary authentication based on user name/password authentication or certificate authentication.

Before You Start

Contact your enterprise network administrator to prepare the device for receiving the dynamic token or SMS verification code. The device is used to obtain the verification information required for two-factor authentication.

Before performing two-factor authentication, you need to perform initial authentication. Confirm with your enterprise network administrator about the authentication mode and complete the authentication by referring to one of the following sections:

NOTE:

You can also use the configuration and connection templates in Appendix to check whether the obtained authentication information is complete.

Procedure

  1. After the initial authentication succeeds, a dialog box is displayed, asking you to enter the dynamic token or SMS verification code for two-factor authentication.
  2. Obtain the dynamic token or SMS verification code on the receiving device, enter it in the text box, and click OK.
  3. After two-factor authentication succeeds, your device successfully connects to the intranet. The message "The Connection is successful" or "negotiation succeeded" is displayed.

Follow-Up Procedure

  • If the authentication or VPN connection fails, rectify the fault by referring to Connection Faults.
  • After your device successfully connects to the intranet, you can try to access resources in the intranet. If the resources cannot be accessed, rectify the fault by referring to Service Faults.
  • Alternatively, you can return to Getting Started to view other content on the task map.
Translation
Download
Updated: 2019-02-22

Document ID: EDOC1100025211

Views: 29318

Downloads: 925

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next