09-12-2008 01:16 AM - edited 03-11-2019 06:43 AM
Im probably being a total muppet but my vpn client is asking me to authenticate when I havent set authentication up.
I would be extremely greatful with any help as Im used to configuring PIX's which are far easier!
Here is the client portion of my config:
group-policy EGRASUSER internal
group-policy EGRASUSER attributes
wins-server value xxxxxxxxxxx
dns-server value xxxxxxxxx
split-tunnel-policy tunnelspecified
split-tunnel-network-list value sptnl
default-domain value xxxxxxxx
tunnel-group EGRASUSER type ipsec-ra
tunnel-group EGRASUSER general-attributes
address-pool EGRASPOOL
default-group-policy EGRASUSER
tunnel-group EGRASUSER ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Solved! Go to Solution.
09-12-2008 02:35 AM
Daniel,
Be default if you do not specific ANY config in the profile "EGRASUSER" then the device will apply any "default" configuration from the "DfltGrpPolicy" attirbutes.
So if you do not want any user auth the config the below:-
group-policy EGRASUSER attributes
authentication-server-group none
The above means you will only auth on IKE. My advise would be NOT to do this, as you only have 1 factor authentication - security best practise says you should have 2 or more.
If you do not want to authenticate to a back AD/RADIUS or LDAP - then authenticate locally:-
username <
tunnel-group EGRASUSER general-attributes
authentication-server-group LOCAL
HTH>
09-12-2008 02:35 AM
Daniel,
Be default if you do not specific ANY config in the profile "EGRASUSER" then the device will apply any "default" configuration from the "DfltGrpPolicy" attirbutes.
So if you do not want any user auth the config the below:-
group-policy EGRASUSER attributes
authentication-server-group none
The above means you will only auth on IKE. My advise would be NOT to do this, as you only have 1 factor authentication - security best practise says you should have 2 or more.
If you do not want to authenticate to a back AD/RADIUS or LDAP - then authenticate locally:-
username <
tunnel-group EGRASUSER general-attributes
authentication-server-group LOCAL
HTH>
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide