PIX Remote Access VPN - Local Authentication

Unanswered Question
Mar 28th, 2007

Hi,


I would like to terminate my remote access VPN on a PIX 525 software 6.3(4).


Can I use the following command to enable local user authentication:

crypto map my-map client authentication local


I do not have a AAA server in the environment.

(this is a design only, so don't have the kit to test on either)


Many thanks!

Carl.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
carl.forbes Thu, 03/29/2007 - 01:07

If local authentication was used, I'm now guessing that this would expose my firewall credential to remote access users. Something that is not desirable.


Anyway around this? can I specify usergroups etc?


Thanks.

David White Thu, 03/29/2007 - 08:27

Hi Carl,


Yes, you can authenticate VPN users to the LOCAL user database.


If you also authenticate to the PIX using Telnet/SSH/HTTPS to the LOCAL database, then yes, those users will also be able to authenticate. However, you can set their privilege level to 1 and thus they will not be able to get into enable mode. (You could also use a seperate global enable password instead of using the LOCAL database for the enable password.)


Hope it helps,


David.


Actions

This Discussion