Disable pre shared key attribute for Remote Access w/ ASA

Unanswered Question

We just started configuring ASAs for VPN access after years of using the PIX. One of the biggest changes that I have noticed for the Remote Client Access is the use of a pre-shared key. Is there a way to disable the pre-shared-key attribute under the tunnel-group <groupname> ipsec-attributes and just require clients to authenticate with the username/password combination like in the 6.3(5) code? If so, how? Any advice would be truly helpful.


Thax in advance!



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
srue Sun, 12/02/2007 - 06:26
User Badges:
  • Blue, 1500 points or more

that pre-shared key is just the group password.


are you wanting to not use group names/passwords?

or are you *just* wanting to use group names/passwords?


to disable xauth:

tunnel-group grp_name ipsec-attributes

pre-shared-key *

isakmp ikev1-user-authentication none

What I want to do is not use the group names password. I just want to be able to have clients use their username and a password that is unique to each username (so, no pre-shared key at all).


For example here is a config from the 6.3(5) code:

crypto ipsec transform-set strongset esp-aes esp-sha-hmac


crypto dynamic-map stuff 10 set transform-set strongset


crypto map mymap 10 ipsec-isakmp dynamic stuff



isakmp identity address


isakmp nat-traversal


isakmp policy 10 authentication pre-share


isakmp policy 10 encryption aes


isakmp policy 10 hash sha


isakmp policy 10 group 2


isakmp policy 10 lifetime 86400


isakmp log 300



vpngroup username address-pool ippool


vpngroup username idle-time 1800


vpngroup username split-tunnel 103


vpngroup username password blah



crypto map mymap interface outside


isakmp enable outside


wr me


No pre-shared key was needed. How do I migrate this code over to the ASA?


Thax!

srue Mon, 12/03/2007 - 17:26
User Badges:
  • Blue, 1500 points or more

The preshared key was the password defined here:


vpngroup username password blah


that served the same purpose as the tunnel-group preshared key. They are functionally equivalent.

in 7.x and later, the tunnel-group name takes the place of the vpngroup name , and the preshared key attribute takes the place of the vpngroup password..

Actions

This Discussion