03-28-2007 05:31 AM - edited 03-11-2019 02:52 AM
Hi,
I would like to terminate my remote access VPN on a PIX 525 software 6.3(4).
Can I use the following command to enable local user authentication:
crypto map my-map client authentication local
I do not have a AAA server in the environment.
(this is a design only, so don't have the kit to test on either)
Many thanks!
Carl.
03-29-2007 01:07 AM
If local authentication was used, I'm now guessing that this would expose my firewall credential to remote access users. Something that is not desirable.
Anyway around this? can I specify usergroups etc?
Thanks.
03-29-2007 08:27 AM
Hi Carl,
Yes, you can authenticate VPN users to the LOCAL user database.
If you also authenticate to the PIX using Telnet/SSH/HTTPS to the LOCAL database, then yes, those users will also be able to authenticate. However, you can set their privilege level to 1 and thus they will not be able to get into enable mode. (You could also use a seperate global enable password instead of using the LOCAL database for the enable password.)
Hope it helps,
David.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: