Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
242
Views
0
Helpful
1
Replies

ASA: VPN client asking me to authenticate?

Go to solution
danparsons
Level 1
Level 1

‎09-12-2008 01:16 AM - edited ‎03-11-2019 06:43 AM

Im probably being a total muppet but my vpn client is asking me to authenticate when I havent set authentication up.

I would be extremely greatful with any help as Im used to configuring PIX's which are far easier!

Here is the client portion of my config:

group-policy EGRASUSER internal

group-policy EGRASUSER attributes

wins-server value xxxxxxxxxxx

dns-server value xxxxxxxxx

split-tunnel-policy tunnelspecified

split-tunnel-network-list value sptnl

default-domain value xxxxxxxx

tunnel-group EGRASUSER type ipsec-ra

tunnel-group EGRASUSER general-attributes

address-pool EGRASPOOL

default-group-policy EGRASUSER

tunnel-group EGRASUSER ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
andrew.prince
Level 10
Level 10

‎09-12-2008 02:35 AM

Daniel,

Be default if you do not specific ANY config in the profile "EGRASUSER" then the device will apply any "default" configuration from the "DfltGrpPolicy" attirbutes.

So if you do not want any user auth the config the below:-

group-policy EGRASUSER attributes

authentication-server-group none

The above means you will only auth on IKE. My advise would be NOT to do this, as you only have 1 factor authentication - security best practise says you should have 2 or more.

If you do not want to authenticate to a back AD/RADIUS or LDAP - then authenticate locally:-

username <> password <> privilege 0

tunnel-group EGRASUSER general-attributes

authentication-server-group LOCAL

HTH>

View solution in original post

0 Helpful
1 Reply 1

Go to solution
andrew.prince
Level 10
Level 10

‎09-12-2008 02:35 AM

Daniel,

Be default if you do not specific ANY config in the profile "EGRASUSER" then the device will apply any "default" configuration from the "DfltGrpPolicy" attirbutes.

So if you do not want any user auth the config the below:-

group-policy EGRASUSER attributes

authentication-server-group none

The above means you will only auth on IKE. My advise would be NOT to do this, as you only have 1 factor authentication - security best practise says you should have 2 or more.

If you do not want to authenticate to a back AD/RADIUS or LDAP - then authenticate locally:-

username <> password <> privilege 0

tunnel-group EGRASUSER general-attributes

authentication-server-group LOCAL

HTH>

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card