Disable pre shared key attribute for Remote Access w/ ASA

Unanswered Question

We just started configuring ASAs for VPN access after years of using the PIX. One of the biggest changes that I have noticed for the Remote Client Access is the use of a pre-shared key. Is there a way to disable the pre-shared-key attribute under the tunnel-group <groupname> ipsec-attributes and just require clients to authenticate with the username/password combination like in the 6.3(5) code? If so, how? Any advice would be truly helpful.

Thax in advance!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
srue Sun, 12/02/2007 - 06:26
User Badges:
  • Blue, 1500 points or more

that pre-shared key is just the group password.

are you wanting to not use group names/passwords?

or are you *just* wanting to use group names/passwords?

to disable xauth:

tunnel-group grp_name ipsec-attributes

pre-shared-key *

isakmp ikev1-user-authentication none

What I want to do is not use the group names password. I just want to be able to have clients use their username and a password that is unique to each username (so, no pre-shared key at all).

For example here is a config from the 6.3(5) code:

crypto ipsec transform-set strongset esp-aes esp-sha-hmac

crypto dynamic-map stuff 10 set transform-set strongset

crypto map mymap 10 ipsec-isakmp dynamic stuff

isakmp identity address

isakmp nat-traversal

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp log 300

vpngroup username address-pool ippool

vpngroup username idle-time 1800

vpngroup username split-tunnel 103

vpngroup username password blah

crypto map mymap interface outside

isakmp enable outside

wr me

No pre-shared key was needed. How do I migrate this code over to the ASA?


srue Mon, 12/03/2007 - 17:26
User Badges:
  • Blue, 1500 points or more

The preshared key was the password defined here:

vpngroup username password blah

that served the same purpose as the tunnel-group preshared key. They are functionally equivalent.

in 7.x and later, the tunnel-group name takes the place of the vpngroup name , and the preshared key attribute takes the place of the vpngroup password..


This Discussion