Set 2 levels of authentication for cisco pix 515 for vpn

Unanswered Question
Feb 21st, 2008

Hi all. Currently i am using ciscopix 515 as the vpn device using ipsec for my office users getting into office network from home. I have configured a ipsec profile in my office users vpn client. However there is no user authentication(available for asa5510) when my users connect the vpn client to my office network. Is it possible to set user authentication on pix515? Thks in advance.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
DrD3m3nt0 Thu, 02/21/2008 - 21:35

Have your created user accounts on your pix ?

These accounts require a username and passwd.

A sample config:

username kwere password s34oh/7HNFIVJ encrypted

username kwere attributes

vpn-group-policy remote_users

vpn-tunnel-protocol IPSec webvpn

webvpn

svc keep-installer installed

group-policy remote_users attributes

banner none

vpn-tunnel-protocol IPSec webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value access_list_for_split_tunnel

webvpn

svc enable

svc keep-installer installed

svc rekey time 30

svc rekey method ssl

svc compression none

access-list access_list_for_split_tunnel standard permit x.x.x.x mask

and the associated tunnel-group parameters.

donnie Thu, 02/21/2008 - 22:11

Hi. Thanks for your reply. Currently my office users are already able to vpn into my office network from home. I configured the group accounts as shown in the example commands below. I configured the group authentication in the vpn client of my users pc. Right now my users can get connected via vpn by just double clicking the profile saved in their vpn client without being prompt for user name and password. Hence i would like to set a user authentication so that they would be prompted for username and password before establishing the connection. Thks in advance.

vpngroup abc address-pool vpnpool

vpngroup abc dns-server 192.168.x.x

vpngroup abc default-domain abc.edu

vpngroup abc split-tunnel 101

vpngroup abc idle-time 1800

vpngroup abc password ********

DrD3m3nt0 Thu, 02/21/2008 - 23:08

Here is a complete listing of the howto and associated link from cisco.com:

Initial tunnel setup

tunnel-group remote_clients type ipsec-ra

tunnel-group remote_clients general-attributes

authentication-server-group LOCAL

no accounting-server-group

default-group-policy

no dhcp-server

no nac-authentication-server-group

no strip-realm

no password-management

no override-account-disable

no strip-group

no authorization-required

authorization-dn-attributes CN OU

----------------------------------------------------------------------------------------------------------------------------

Tunnel for the vpn clients

tunnel-group remote_clients ipsec-attributes

pre-shared-key (whatever your group passwd is)

peer-id-validate req

no chain

no trust-point

isakmp keepalive threshold 300 retry 2

no radius-sdi-xauth

isakmp ikev1-user-authentication xauth

------------------------------------------------------------------------------------------------------------------------------

Group policy

group-policy remote_users attributes

banner none

vpn-tunnel-protocol IPSec webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value access_list_for_split_tunnel

webvpn

svc enable

svc keep-installer installed

svc rekey time 30

svc rekey method ssl

svc compression none

-------------------------------------------------------------------------------------------------------------------------------

Network reachable by vpn

access-list access_list_for_split_tunnel standard permit x.x.x.x mask

User accounts

username kwere password xxx encrypted

username kwere attributes

vpn-group-policy remote_users

vpn-tunnel-protocol IPSec webvpn

webvpn

svc keep-installer installed

-------------------------------------------------------------------------------------------------------------------------------

link on howto at cisco

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008060f25c.shtml#cli

Actions

This Discussion