PIX 501 Client VPN Issue

Adrian Jones · ‎05-12-2009

Hi All,

In middle of configuring a Pix 501 for VPN. I have running a few VPN's Site to Site and can terminate a Client to Site VPN with no issue. I am having problems getting the Client to Site to initiate a User Username and Password Challenge when VPNing in, I get a connection using the VPN credentials set in the Secure Client but no further user challenge.

Can someone advise of suitable config to change this?

Thanks

Adrian

Report Inappropriate Content · ‎05-18-2009

Use the crypto map client authentication command to tell the PIX Firewall to use the Xauth (RADIUS/TACACS+ user name and password) challenge during Phase 1 of Internet Key Exchange (IKE) in order to authenticate IKE. If the Xauth fails, the IKE security association is not established. Specify the same AAA server name within the crypto map client authentication command statement that is specified in the aaa-server command statement. The remote user must run Cisco VPN Client version 3.x. or later.

Note: Cisco recommends you use Cisco VPN Client 3.5.x or later. VPN Client 1.1 does not work with this configuration. Cisco VPN Client 3.6 and later does not support the transform set of des/sha.

If you need to restore the configuration without Xauth, use the no crypto map client authentication command. The Xauth feature is not enabled by default.

Note: In PIX Firewall Version 5.3 and later, configurable RADIUS ports were introduced. Some RADIUS servers use RADIUS ports other than 1645/1646 (usually 1812/1813). In PIX 5.3 and later, the RADIUS authentication and accounting ports can be changed to ones other than the default 1645/1646 using these commands:

aaa-server radius-authport #

aaa-server radius-acctport #

Adrian Jones · ‎05-18-2009

Thanks. In testing just now I found that since I have LOCAL authentication for SSH and telnet access to the firewall, the following command was successful:

crypto map outside_map client authentication LOCAL