user authentication for vpn on cisco pix 515

Unanswered Question
Feb 22nd, 2008
User Badges:

Hi all. Below is part of my current config.



ip local pool vpnpool 192.168.10.151-192.168.10.170

pdm location x.x.x.x 255.255.255.248 outside

pdm location 192.168.10.0 255.255.255.0 inside

pdm location 192.168.10.2 255.255.255.255 inside

pdm location x.x.x.x 255.255.255.248 outside

pdm location apsrv 255.255.255.255 inside

pdm location x.x.x.x 255.255.255.255 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp x.x.x.x ssh applsrv ssh netmask 255.255.255.255

0 0

access-group 110 in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa authorization command LOCAL

http server enable

http x.x.x.x 255.255.255.248 outside

http 192.168.10.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10 set peer x.x.x.x x.x.x.x

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap client configuration address initiate

crypto map mymap client configuration address respond

crypto map mymap interface outside

isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp identity address

isakmp client configuration address-pool local vpnpool outside

isakmp nat-traversal 3600

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup sevpn address-pool vpnpool

vpngroup sevpn dns-server 192.168.10.2

vpngroup sevpn default-domain abc.edu.sg

vpngroup sevpn split-tunnel 101

vpngroup sevpn idle-time 1800

vpngroup sevpn password ********

vpngroup split-tunnel idle-time 1800

telnet 192.168.10.0 255.255.255.0 inside

telnet apsrv 255.255.255.255 inside

telnet timeout 5

ssh x.x.x.x 255.255.255.248 outside

ssh timeout 5

console timeout 5

vpdn enable outside

username administrator password grYy2xe.MAY6tCua encrypted privilege 15

username user1 password xxx privilege 5

username user2 password xxxx privilege 3

privilege show level 0 command version

privilege show level 0 command curpriv

privilege show level 3 command pdm

privilege show level 3 command blocks

privilege show level 3 command ssh

privilege configure level 3 command who

privilege show level 3 command isakmp

privilege show level 3 command ipsec

privilege show level 3 command vpdn

privilege show level 3 command local-host

privilege show level 3 command interface

privilege show level 3 command ip

privilege configure level 3 command ping

privilege show level 3 command uauth

privilege configure level 5 mode enable command configure

privilege show level 5 command running-config

privilege show level 5 command privilege

privilege show level 5 command clock

privilege show level 5 command ntp

privilege show level 5 mode configure command logging

privilege show level 5 command fragment

terminal width 80

Cryptochecksum:xxx

: end



Right now my users can vpn into my office network via vpn client. But they are not prompted for username and password. Can i enable the user authentication by stating the below commands? Do i need to add anything else?


aaa authentication enable console LOCAL

username <user_name> password <secret_pwd> privilege 0

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
johnd2310 Mon, 02/25/2008 - 20:02
User Badges:
  • Silver, 250 points or more

Hi,


Configure aaa and then enable Xauth with the

"crypto map client authentication" command


Thanks

John

Actions

This Discussion