Dynamic VPN authentication

s.carruthers · ‎10-03-2003

This seems like it should be easy but I cannot find a sample config. I have dynamic crypto maps set up for remote client VPN access on a PIX. This is working fine and users can intiate sessions by using the groupname/password. I want to configure xauth (extended authentication) however to force the remote user to have to authenticate with a username/password as well. I do not have an ACS server. I just want to establish a local user database on the PIX itself. So after a create a user with a - username xxx password xxxx. What AAA or crypto map commands do I need to execute to force the dynamic-vpn users to have to authenicate using this local user database? thanks

s.carruthers · ‎10-03-2003

To further complicate this, I thought I found the correct command to force user authentication with the local database with -

crypto map client authentication LOCAL

But after I enter this command, clear all ipsec settings, it still does not prompt me for a username and password. Once it accepts the groupname and password, a connection is immediately established without asking for a username/password.

jkanclirz · ‎10-05-2003

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_62/config/basclnt.htm

This should help.

-Jan

j.cusick · ‎10-06-2003

If you have a windows 2000 server you may want to setup IAS (Part of 2000) and point the pix to the 2000 server. You can have your administrator control adding and removing users from the VPN groups and control policies via the 2000 server.