PIX 501 Client VPN Issue

Answered Question
May 12th, 2009

Hi All,

In middle of configuring a Pix 501 for VPN. I have running a few VPN's Site to Site and can terminate a Client to Site VPN with no issue. I am having problems getting the Client to Site to initiate a User Username and Password Challenge when VPNing in, I get a connection using the VPN credentials set in the Secure Client but no further user challenge.

Can someone advise of suitable config to change this?

Thanks

Adrian

I have this problem too.
0 votes
Correct Answer by Anonymous (not verified) about 4 years 11 months ago

Use the crypto map client authentication command to tell the PIX Firewall to use the Xauth (RADIUS/TACACS+ user name and password) challenge during Phase 1 of Internet Key Exchange (IKE) in order to authenticate IKE. If the Xauth fails, the IKE security association is not established. Specify the same AAA server name within the crypto map client authentication command statement that is specified in the aaa-server command statement. The remote user must run Cisco VPN Client version 3.x. or later.

Note: Cisco recommends you use Cisco VPN Client 3.5.x or later. VPN Client 1.1 does not work with this configuration. Cisco VPN Client 3.6 and later does not support the transform set of des/sha.

If you need to restore the configuration without Xauth, use the no crypto map client authentication command. The Xauth feature is not enabled by default.

Note: In PIX Firewall Version 5.3 and later, configurable RADIUS ports were introduced. Some RADIUS servers use RADIUS ports other than 1645/1646 (usually 1812/1813). In PIX 5.3 and later, the RADIUS authentication and accounting ports can be changed to ones other than the default 1645/1646 using these commands:

aaa-server radius-authport #

aaa-server radius-acctport #

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
Correct Answer
Anonymous (not verified) Mon, 05/18/2009 - 05:23

Use the crypto map client authentication command to tell the PIX Firewall to use the Xauth (RADIUS/TACACS+ user name and password) challenge during Phase 1 of Internet Key Exchange (IKE) in order to authenticate IKE. If the Xauth fails, the IKE security association is not established. Specify the same AAA server name within the crypto map client authentication command statement that is specified in the aaa-server command statement. The remote user must run Cisco VPN Client version 3.x. or later.

Note: Cisco recommends you use Cisco VPN Client 3.5.x or later. VPN Client 1.1 does not work with this configuration. Cisco VPN Client 3.6 and later does not support the transform set of des/sha.

If you need to restore the configuration without Xauth, use the no crypto map client authentication command. The Xauth feature is not enabled by default.

Note: In PIX Firewall Version 5.3 and later, configurable RADIUS ports were introduced. Some RADIUS servers use RADIUS ports other than 1645/1646 (usually 1812/1813). In PIX 5.3 and later, the RADIUS authentication and accounting ports can be changed to ones other than the default 1645/1646 using these commands:

aaa-server radius-authport #

aaa-server radius-acctport #

itsfhome1 Mon, 05/18/2009 - 12:02

Thanks. In testing just now I found that since I have LOCAL authentication for SSH and telnet access to the firewall, the following command was successful:

crypto map outside_map client authentication LOCAL

Actions

Login or Register to take actions

This Discussion

Posted May 12, 2009 at 8:24 AM
Stats:
Replies:2 Avg. Rating:5
Views:159 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446