Im using an VPN-installation (Router, ACS, Cisco VPN Client) and I noticed that the group name and decrypted group password can also be used in the second step of authentication (the extended authentication or user authentication), which is a big security concern. What is wrong in my configuration.
For testing I set up a VPN config like it is described in cisco documents. There it also works. The group credentials work in the user authentication, too, which is absolutely logical because the group credentials are also an user in the ACS database. Of course this user can be authenticated in the user authentication process.
Whats wrong? How do other admins solve this? Am I wrong in my approach??
Yes, authorization will require password for "cisco", at least for isakmp and pki. The group will send it's name and password of cisco to receive the av-pairs (ASA has a feature to create a different "common-password" but it's not there on IOS, AFAIR)
It's a known restriction - you should not use same server for authentication and authorization, both with IOS and ASA.
Have you give this a though (either/or):
- local isakmp authorization
- certificate authentication (group)
- splitting authentication and authorization functions between servers.
I don't believe we can do much configuration wise to prohibit this behavior.
edit: corrected spelling.