Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
377
Views
0
Helpful
5
Replies

VPN user-authentication on PIX515E 6.3

Gilbert30
Level 1
Level 1

‎04-24-2008 07:38 PM

Hi,

I would like to know how to configure a VPN client user authentication on PIX515E instead of group Authentication.

regards,

Gilbert

Labels:
0 Helpful
5 Replies 5

JORGE RODRIGUEZ
Level 10
Level 10

‎04-24-2008 08:24 PM

Gilbert

You can create local users database in PIX for user authentication, they still need to authenticate through the tunnel group though.

This link provides more info, it also applies to 6.x code.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008060f25c.shtml

Jorge

Jorge Rodriguez
0 Helpful

Gilbert30
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎04-25-2008 03:37 PM

Jorge,

Here is the scenario:

I've a got a pix 515E setup for vpn client to access using group

authentication. There is a group authentication setup. Clients are able to connect by using this group profile on the vpn client. And I want to setup the why that after they click on that profile on the vpn client I want to setup a second authentication which is for the user Authentication.

regards,

gilbert

0 Helpful

JORGE RODRIGUEZ
Level 10
Level 10
In response to Gilbert30

‎04-25-2008 10:01 PM

Currently your vpn clients connect using tunnel group authentication , in order to activate user authentication after they pass the group authentication. For this you to either confiure an external RADIUS server or build a LOCAL user database within the pix for your vpn users and you have to instruct firewall under your tunnel group how the clients will autenticate using LOCAL database, the local database you build the users within the PIX firewall and you have to configure each user name in the database, this is found under in the system properties tab/administration/user accounts.

For example to create two users: (privilege 0 is to not allow users admin access to firewall but RA vpn will use local user database for single user vpn autentication)

username user1 password xxxxxx privilege 0

username user2 password xxxxxx privilege 0

I beliebe in 6.x code under your current crypto map you would add bellow statement

crypto map outside_map client authentication LOCAL , but if you are running 7.x above the link provided shows how is done in 7.x

read carefully the link and scritp process.

Once you create this, your vpn users will get a second authentication window when the vpn-in.

Rgds

Jorge

Jorge Rodriguez
0 Helpful

khaledmansour
Level 1
Level 1

‎06-04-2008 11:53 AM

Hi George,

I would like to know how you did it based only on Group Authentication. I dont need individual user authentication. Appreciate if you can pass a sample config. Thanks.

0 Helpful

JORGE RODRIGUEZ
Level 10
Level 10
In response to khaledmansour

‎06-04-2008 03:54 PM

Hi Khaled,

If you just want to authenticate only through the tunnel group and not be prompted for individual user authentication it is posible, I had similar question a week ago.

Refer to this link, but I do not know if this command isakmp ikev1-user-authentication none exists in pix code 6.3.x if you are running 6.x code.

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&topicID=.ee6e1fa&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc0bc14

HTH

Rgds

-Jorge

PLS Rate any helpful post if it helped

Jorge Rodriguez
0 Helpful
Customers Also Viewed These Support Documents