cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
866
Views
0
Helpful
3
Replies

Disable pre shared key attribute for Remote Access w/ ASA

mark.white
Level 1
Level 1

We just started configuring ASAs for VPN access after years of using the PIX. One of the biggest changes that I have noticed for the Remote Client Access is the use of a pre-shared key. Is there a way to disable the pre-shared-key attribute under the tunnel-group <groupname> ipsec-attributes and just require clients to authenticate with the username/password combination like in the 6.3(5) code? If so, how? Any advice would be truly helpful.

Thax in advance!

3 Replies 3

srue
Level 7
Level 7

that pre-shared key is just the group password.

are you wanting to not use group names/passwords?

or are you *just* wanting to use group names/passwords?

to disable xauth:

tunnel-group grp_name ipsec-attributes

pre-shared-key *

isakmp ikev1-user-authentication none

What I want to do is not use the group names password. I just want to be able to have clients use their username and a password that is unique to each username (so, no pre-shared key at all).

For example here is a config from the 6.3(5) code:

crypto ipsec transform-set strongset esp-aes esp-sha-hmac

crypto dynamic-map stuff 10 set transform-set strongset

crypto map mymap 10 ipsec-isakmp dynamic stuff

isakmp identity address

isakmp nat-traversal

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp log 300

vpngroup username address-pool ippool

vpngroup username idle-time 1800

vpngroup username split-tunnel 103

vpngroup username password blah

crypto map mymap interface outside

isakmp enable outside

wr me

No pre-shared key was needed. How do I migrate this code over to the ASA?

Thax!

The preshared key was the password defined here:

vpngroup username password blah

that served the same purpose as the tunnel-group preshared key. They are functionally equivalent.

in 7.x and later, the tunnel-group name takes the place of the vpngroup name , and the preshared key attribute takes the place of the vpngroup password..

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: