04-24-2008 07:38 PM
Hi,
I would like to know how to configure a VPN client user authentication on PIX515E instead of group Authentication.
regards,
Gilbert
04-24-2008 08:24 PM
Gilbert
You can create local users database in PIX for user authentication, they still need to authenticate through the tunnel group though.
This link provides more info, it also applies to 6.x code.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008060f25c.shtml
Jorge
04-25-2008 03:37 PM
Jorge,
Here is the scenario:
I've a got a pix 515E setup for vpn client to access using group
authentication. There is a group authentication setup. Clients are able to connect by using this group profile on the vpn client. And I want to setup the why that after they click on that profile on the vpn client I want to setup a second authentication which is for the user Authentication.
regards,
gilbert
04-25-2008 10:01 PM
Currently your vpn clients connect using tunnel group authentication , in order to activate user authentication after they pass the group authentication. For this you to either confiure an external RADIUS server or build a LOCAL user database within the pix for your vpn users and you have to instruct firewall under your tunnel group how the clients will autenticate using LOCAL database, the local database you build the users within the PIX firewall and you have to configure each user name in the database, this is found under in the system properties tab/administration/user accounts.
For example to create two users: (privilege 0 is to not allow users admin access to firewall but RA vpn will use local user database for single user vpn autentication)
username user1 password xxxxxx privilege 0
username user2 password xxxxxx privilege 0
I beliebe in 6.x code under your current crypto map you would add bellow statement
crypto map outside_map client authentication LOCAL , but if you are running 7.x above the link provided shows how is done in 7.x
read carefully the link and scritp process.
Once you create this, your vpn users will get a second authentication window when the vpn-in.
Rgds
Jorge
06-04-2008 11:53 AM
Hi George,
I would like to know how you did it based only on Group Authentication. I dont need individual user authentication. Appreciate if you can pass a sample config. Thanks.
06-04-2008 03:54 PM
Hi Khaled,
If you just want to authenticate only through the tunnel group and not be prompted for individual user authentication it is posible, I had similar question a week ago.
Refer to this link, but I do not know if this command isakmp ikev1-user-authentication none exists in pix code 6.3.x if you are running 6.x code.
HTH
Rgds
-Jorge
PLS Rate any helpful post if it helped
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide