VPN user-authentication on PIX515E 6.3

Unanswered Question
Apr 24th, 2008


I would like to know how to configure a VPN client user authentication on PIX515E instead of group Authentication.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Gilbert30 Fri, 04/25/2008 - 15:37


Here is the scenario:

I've a got a pix 515E setup for vpn client to access using group

authentication. There is a group authentication setup. Clients are able to connect by using this group profile on the vpn client. And I want to setup the why that after they click on that profile on the vpn client I want to setup a second authentication which is for the user Authentication.



JORGE RODRIGUEZ Fri, 04/25/2008 - 22:01

Currently your vpn clients connect using tunnel group authentication , in order to activate user authentication after they pass the group authentication. For this you to either confiure an external RADIUS server or build a LOCAL user database within the pix for your vpn users and you have to instruct firewall under your tunnel group how the clients will autenticate using LOCAL database, the local database you build the users within the PIX firewall and you have to configure each user name in the database, this is found under in the system properties tab/administration/user accounts.

For example to create two users: (privilege 0 is to not allow users admin access to firewall but RA vpn will use local user database for single user vpn autentication)

username user1 password xxxxxx privilege 0

username user2 password xxxxxx privilege 0

I beliebe in 6.x code under your current crypto map you would add bellow statement

crypto map outside_map client authentication LOCAL , but if you are running 7.x above the link provided shows how is done in 7.x

read carefully the link and scritp process.

Once you create this, your vpn users will get a second authentication window when the vpn-in.



khaledmansour Wed, 06/04/2008 - 11:53

Hi George,

I would like to know how you did it based only on Group Authentication. I dont need individual user authentication. Appreciate if you can pass a sample config. Thanks.

JORGE RODRIGUEZ Wed, 06/04/2008 - 15:54

Hi Khaled,

If you just want to authenticate only through the tunnel group and not be prompted for individual user authentication it is posible, I had similar question a week ago.

Refer to this link, but I do not know if this command isakmp ikev1-user-authentication none exists in pix code 6.3.x if you are running 6.x code.





PLS Rate any helpful post if it helped


This Discussion