02-21-2008 06:47 PM
Hi all. Currently i am using ciscopix 515 as the vpn device using ipsec for my office users getting into office network from home. I have configured a ipsec profile in my office users vpn client. However there is no user authentication(available for asa5510) when my users connect the vpn client to my office network. Is it possible to set user authentication on pix515? Thks in advance.
02-21-2008 09:35 PM
Have your created user accounts on your pix ?
These accounts require a username and passwd.
A sample config:
username kwere password s34oh/7HNFIVJ encrypted
username kwere attributes
vpn-group-policy remote_users
vpn-tunnel-protocol IPSec webvpn
webvpn
svc keep-installer installed
group-policy remote_users attributes
banner none
vpn-tunnel-protocol IPSec webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value access_list_for_split_tunnel
webvpn
svc enable
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
svc compression none
access-list access_list_for_split_tunnel standard permit x.x.x.x mask
and the associated tunnel-group parameters.
02-21-2008 10:11 PM
Hi. Thanks for your reply. Currently my office users are already able to vpn into my office network from home. I configured the group accounts as shown in the example commands below. I configured the group authentication in the vpn client of my users pc. Right now my users can get connected via vpn by just double clicking the profile saved in their vpn client without being prompt for user name and password. Hence i would like to set a user authentication so that they would be prompted for username and password before establishing the connection. Thks in advance.
vpngroup abc address-pool vpnpool
vpngroup abc dns-server 192.168.x.x
vpngroup abc default-domain abc.edu
vpngroup abc split-tunnel 101
vpngroup abc idle-time 1800
vpngroup abc password ********
02-21-2008 11:08 PM
Here is a complete listing of the howto and associated link from cisco.com:
Initial tunnel setup
tunnel-group remote_clients type ipsec-ra
tunnel-group remote_clients general-attributes
authentication-server-group LOCAL
no accounting-server-group
default-group-policy
no dhcp-server
no nac-authentication-server-group
no strip-realm
no password-management
no override-account-disable
no strip-group
no authorization-required
authorization-dn-attributes CN OU
----------------------------------------------------------------------------------------------------------------------------
Tunnel for the vpn clients
tunnel-group remote_clients ipsec-attributes
pre-shared-key (whatever your group passwd is)
peer-id-validate req
no chain
no trust-point
isakmp keepalive threshold 300 retry 2
no radius-sdi-xauth
isakmp ikev1-user-authentication xauth
------------------------------------------------------------------------------------------------------------------------------
Group policy
group-policy remote_users attributes
banner none
vpn-tunnel-protocol IPSec webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value access_list_for_split_tunnel
webvpn
svc enable
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
svc compression none
-------------------------------------------------------------------------------------------------------------------------------
Network reachable by vpn
access-list access_list_for_split_tunnel standard permit x.x.x.x mask
User accounts
username kwere password xxx encrypted
username kwere attributes
vpn-group-policy remote_users
vpn-tunnel-protocol IPSec webvpn
webvpn
svc keep-installer installed
-------------------------------------------------------------------------------------------------------------------------------
link on howto at cisco
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008060f25c.shtml#cli
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide