Disable XAuth for Remote VPN Access

Answered Question
Jul 10th, 2014
User Badges:
  • Bronze, 100 points or more

Hi guys,

I would like to know if I can skip XAuth for a Remote VPN Access on a router.

Here's my config, all working beautifully, still when connecting I would like not seeing any username&password window after clicking on the Vpn profile.

aaa authentication login VPNUSERSAUTH local
aaa authorization network VPNUSERS local
username ra-user privilege 0 secret 1cannotTELu
 
crypto isakmp policy 7
 encr aes
 hash sha
 authentication pre-share
 group 2
 
crypto isakmp client configuration group VPNUSERS
 key theKEYallneedt0
pool VPN-POOL
acl ACL-SPLIT-VPN
 
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map VPNDYNMAP 1
 set transform-set ESP-AES128-SHA
 reverse-route
 
crypto map MAP-OUTSIDE client authentication list VPNUSERSAUTH
 crypto map MAP-OUTSIDE isakmp authorization list VPNUSERS
 crypto map MAP-OUTSIDE client configuration address respond
  crypto map MAP-OUTSIDE 6500 ipsec-isakmp dynamic VPNDYNMAP
 
ip local pool VPN-POOL 10.1.24.1 10.1.24.25
 ip access-list extended ACL-SPLIT-VPN
permit ip 192.168.11.0 0.0.0.255 10.1.24.0 0.0.0.255
 
Many thanks!
Correct Answer by Dinesh Moudgil about 3 years 1 month ago

Hi Florin,


In case of remote access VPN , user has to be authenticated either via username/password or certificates.
You can deploy certificate based authentication as follows:-
http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/22520-unityclient-ios.html#router-config

This will use the certificate for user authentication and won't prompt for username/password.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Dinesh Moudgil Thu, 07/10/2014 - 04:04
User Badges:
  • Cisco Employee,

Hi Florin,


In case of remote access VPN , user has to be authenticated either via username/password or certificates.
You can deploy certificate based authentication as follows:-
http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/22520-unityclient-ios.html#router-config

This will use the certificate for user authentication and won't prompt for username/password.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Marcin Latosiewicz Thu, 07/10/2014 - 07:15
User Badges:
  • Cisco Employee,

To add, IKE authentication can use RSA (certs, signature, encryption) or PSK, xauth can be done with user/pass only or skipped altogether. 

To bypass xauth either remove client authentication or set the AAA group to none. It's been a while since I tested this. I think the latter should work on IOS. 

Florin Barhala Thu, 07/10/2014 - 12:28
User Badges:
  • Bronze, 100 points or more

Hi Marcin,

Before posting I tried:

aaa authentication login VPNUSERSAUTH none
 
But at this moment it's still asking for user and password and even more works with any local user.
I also tried:
aaa authorization network VPNUSERS none
 
After it, login windows ceased to pop up. So if you find a real method to skip this authentication...
Marcin Latosiewicz Thu, 07/10/2014 - 12:30
User Badges:
  • Cisco Employee,

Florin, did you by any chance tried removing the client authentication statement (from crypto map or isakmp profile).

 

M.

 

Florin Barhala Thu, 07/10/2014 - 12:31
User Badges:
  • Bronze, 100 points or more

I think I did, but I will retry tomorrow. Either way I doubt it will work, but I will comeback with the outcome.

Marcin Latosiewicz Thu, 07/10/2014 - 12:33
User Badges:
  • Cisco Employee,

Florin,

I _remember_ this working with isakmp profile. But it's something I've done a couple of years ago at least. 

 

M.

Actions

This Discussion