PIX Remote Access VPN - Local Authentication

Unanswered Question
Mar 28th, 2007
User Badges:


I would like to terminate my remote access VPN on a PIX 525 software 6.3(4).

Can I use the following command to enable local user authentication:

crypto map my-map client authentication local

I do not have a AAA server in the environment.

(this is a design only, so don't have the kit to test on either)

Many thanks!


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
carl.forbes Thu, 03/29/2007 - 01:07
User Badges:

If local authentication was used, I'm now guessing that this would expose my firewall credential to remote access users. Something that is not desirable.

Anyway around this? can I specify usergroups etc?


David White Thu, 03/29/2007 - 08:27
User Badges:
  • Cisco Employee,

Hi Carl,

Yes, you can authenticate VPN users to the LOCAL user database.

If you also authenticate to the PIX using Telnet/SSH/HTTPS to the LOCAL database, then yes, those users will also be able to authenticate. However, you can set their privilege level to 1 and thus they will not be able to get into enable mode. (You could also use a seperate global enable password instead of using the LOCAL database for the enable password.)

Hope it helps,



This Discussion