Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
893
Views
0
Helpful
3
Replies

Disable pre shared key attribute for Remote Access w/ ASA

mark.white
Level 1
Level 1

‎12-01-2007 04:32 PM - edited ‎02-21-2020 01:49 AM

We just started configuring ASAs for VPN access after years of using the PIX. One of the biggest changes that I have noticed for the Remote Client Access is the use of a pre-shared key. Is there a way to disable the pre-shared-key attribute under the tunnel-group <groupname> ipsec-attributes and just require clients to authenticate with the username/password combination like in the 6.3(5) code? If so, how? Any advice would be truly helpful.

Thax in advance!

0 Helpful
3 Replies 3

srue
Level 7
Level 7

‎12-02-2007 06:26 AM

that pre-shared key is just the group password.

are you wanting to not use group names/passwords?

or are you *just* wanting to use group names/passwords?

to disable xauth:

tunnel-group grp_name ipsec-attributes

pre-shared-key *

isakmp ikev1-user-authentication none

0 Helpful

mark.white
Level 1
Level 1
In response to srue

‎12-02-2007 11:02 PM

What I want to do is not use the group names password. I just want to be able to have clients use their username and a password that is unique to each username (so, no pre-shared key at all).

For example here is a config from the 6.3(5) code:

crypto ipsec transform-set strongset esp-aes esp-sha-hmac

crypto dynamic-map stuff 10 set transform-set strongset

crypto map mymap 10 ipsec-isakmp dynamic stuff

isakmp identity address

isakmp nat-traversal

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp log 300

vpngroup username address-pool ippool

vpngroup username idle-time 1800

vpngroup username split-tunnel 103

vpngroup username password blah

crypto map mymap interface outside

isakmp enable outside

wr me

No pre-shared key was needed. How do I migrate this code over to the ASA?

Thax!

0 Helpful

srue
Level 7
Level 7
In response to mark.white

‎12-03-2007 05:26 PM

The preshared key was the password defined here:

vpngroup username password blah

that served the same purpose as the tunnel-group preshared key. They are functionally equivalent.

in 7.x and later, the tunnel-group name takes the place of the vpngroup name , and the preshared key attribute takes the place of the vpngroup password..

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card