cisco remote access vpn client access to the HQ.

arumugasamy · ‎04-06-2008

Hello Experts,

I setup the remote access vpn with ASA 5520 AS gateway.When the client initiate the tunnel by running the vpn clinet application the username ,password screen appear and the user has to complete it to get access.

What they want is to access directly thro tunnel without any authen screen. They want direct tunnel connection.

Is there any way ?

swami

trustcisco · ‎04-06-2008

Why don't you choose to let clients save the password in the vpn client. This way they will enter tha password once and the will have a direct tunnel connection. Choosing not to use a password is very unsecure.

JORGE RODRIGUEZ · ‎04-06-2008

Swami, in order to accomplish no user authentication required and go straight trough the tunnel at least I know there is one method and Im sure there may be other methods Im not familiar with yet, you can configure your asa firewall tunnel group Ipsec Ike authentication parameters to not requiering user authentication but still authenticate through the tunnel group, while you can save in vpn client the tunnel group name and pre-share key password the no user name autentication will not be enforced.

Connect to your firewall command line and explore your isakmp user authentication for your particular RA tunnel name.

Example:

tunnel-group ipsec-attributes

isakmp ikev1-user-authentication xauth <--remove

replace with

isakmp ikev1-user-authentication none

This can be easily edited to enable user authentication again by simply revsering the script above, also this only applies to a RA specific tunnel group and not others in case you have other RA tunnel groups.

I believe but not sure as I need to explorer other obtions you may accomplish to save user name and authentication through certificate profiles provided by the firewall administrator to be imported into the vpn client, but again I am not to sure and cannot provide fruther comment on other methods.

HTH

Rgds

Jorge

Jorge Rodriguez