About L2TP User Authentication
When you configure Mobile VPN with L2TP, you select authentication servers, and configure users and groups for authentication. The users and groups you specify must exist on the selected authentication server.
Mobile VPN with L2TP supports two authentication methods:
Local authentication on the Firebox (Firebox-DB)
You can use the local authentication server on the Firebox for L2TP user authentication. If you use Firebox-DB for authentication you must use the L2TP-Users group that is created by default. You can also add other users and groups in the L2TP configuration. The users and groups you add to the L2TP configuration are automatically included in the L2TP-Users group.
When you add a user or group to the Mobile VPN with L2TP configuration and select Firebox-DB as the authentication server, this does not automatically add the user or group for Firebox authentication. You must also add users and groups in the Firebox authentication settings. For detailed instructions to add users and groups, see Define a New User for Firebox Authentication and Define a New Group for Firebox Authentication.
You can use a RADIUS server for L2TP user authentication. If you use a RADIUS server for authentication, you can use the default L2TP-Users group (if you also add that group on the RADIUS authentication server), or you can add the names of users and groups that exist in the RADIUS authentication server database.
If you want to use an Active Directory database for authentication, you can configure your RADIUS server to use the Active Directory database. Then you can configure the RADIUS server on the Firebox, select RADIUS as the authentication method for Mobile VPN with L2TP, and add the users and groups from your Active Directory database to the Mobile VPN with L2TP configuration.
For more information about how to configure a RADIUS server to use an Active Directory database, see RADIUS Authentication with Active Directory For Mobile VPN Users.
Mobile VPN with L2TP does not support RADIUS 2 factor authentication.