Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Hightech Security Solutions

I have been implementing some VPN solutions based on PIX 515 in HQ and VPN Client (IPSec) on remote laptops.

Since the VPN Client does not run on Win2000, I used PPTP (also Terminated on the Pix) with User-authentication done via ACS 2.5.

Unfortenately, it's not good enough.... (Security speaking)

What I would like to set up is:

- Pix (if possible) as VPN Terminatot in HQ.

- Clients using Win98/Win2000 connecting through VPN.

- User Authentication ++ is done with X.509 Certificate and/or Onetime Passwords (Like SecureCard from RSA)in adition to Username and Password (As by Win2000 PPTP)

- User Accounting must be done in HQ.

As I said: The Pix is already here, ACS is here, VPN software for Win98 & 2000 is here(Based on different protocols)

Does anyone have any idea of setting up authentication ssing username&Password with Certificates? Does IPSec support this?

Does anyone have any idea of setting up authenticating using one-time-password systems?

Best regards


New Member

Re: Hightech Security Solutions

Hi Jarle,

We use ACE Server from RSA Security in combination with CS ACS 2.4. We use SecurID hardware tokens. The AAA mechanism is primarily handled bij ACS which sends the request through to ACE Server to verify the token-code. We are using this for quite some time now and this works well. As an example. When a user logs in to the system he/she gets a prompt for user/password. When using a token you fill in the user and the password is a combination of a PIN-code and the code displayed on the token. It is very user friendly.

I have no experience with IPSEC, Certificates and VPN but are in the process of investigating that right now.

Regards and success,


New Member

Re: Hightech Security Solutions

What kind of client-software are you using?

Sounds like THE solution for us.



New Member

Re: Hightech Security Solutions

Recommended solution is to introduce a PKI certification protocol & TACACS++ security access control.

New Member

Re: Hightech Security Solutions

Absolutely you can use certificates with the Windows 2000 native IPSec/PPTP client. If fact, the Windows 2000 client only supports certificate authentication (i.e. no pre-shared keys). Kind of a bummer.

Here's a link with documentation for configuring the PIX for certificate support - (

New Member

Re: Hightech Security Solutions

I was wondering you use pptp with mppe and ACS 2.5 and you use tacacs+ protocol.

CreatePlease to create content