Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1660
Views
20
Helpful
7
Replies

PIX VPN Authentication

gparrish
Level 1
Level 1

‎09-11-2003 05:29 PM - edited ‎02-21-2020 10:08 AM

Can someone tell me all the options for authenticating VPN users on the PIX (515e v6.31)? I dont see any way to do local user authentication based on the VPN client.

I know of the following options:

AAA using Tacacs

AAA using Radius

VPN Group with local password

Thanks,

Greg

Labels:
0 Helpful
7 Replies 7

mostiguy
Level 6
Level 6

‎09-11-2003 05:50 PM

What do you mean by "local user authentication based on the vpn client"? If you mean each user has a unique username and password, that was introduced in pix os 6.2 (maybe 6.3).

0 Helpful

gparrish
Level 1
Level 1
In response to mostiguy

‎09-11-2003 06:06 PM

Yes I mean that. In the normal Cisco IOS context you normally have like tacacs and local authentication choices so thanks for that bit of information! I will look into how to configure that. Just trying to figure out all the options so we can select one to use.

Thanks,

Greg

0 Helpful

gfullage
Cisco Employee
Cisco Employee
In response to gparrish

‎09-11-2003 10:04 PM

Introduced in 6.3, you would do:

crypto map client authentication LOCAL

username password

You can have as many username/password entries as you like.

gparrish
Level 1
Level 1
In response to gfullage

‎09-12-2003 05:34 AM

Any idea how to configure the VPN Client with the username and password for authentication since it only accepts the Group and CA Certificate options?

Thanks,

Greg

0 Helpful

l.mourits
Level 5
Level 5
In response to gparrish

‎09-12-2003 06:22 AM

Hi Greg,

You do not need to configure username and password within the client. Once the client tries to connect the user will be prompted to enter username and password. Only put in groupname and grouppassword and you'll be fine.

Kind regards,

Leo

gparrish
Level 1
Level 1
In response to l.mourits

‎09-12-2003 02:34 PM

Okay so this provides even more authentication? You have to use the VPN Group and then you could also authenticate each user in addition to that?

Sounds like you have to use the VPN Group or a certificate at all times?

Thanks,

Greg

0 Helpful

gfullage
Cisco Employee
Cisco Employee
In response to gparrish

‎09-12-2003 05:07 PM

Correct, user authentication is a 2nd level of authentication. You don't actually have to do it (just don't add in the two commands I mentioned previously), and then the client will get in simply with having the correct group name/password or certificate.

I would always use user authentication though, considering the group name/password or cert is stored on the PC all the time. If that PC gets stolen and you have no user authentication set up, the thief has open access into your network. The group name/password or cert authenticate the PC that is connecting, whereas the extra user authentication authenticates the person sitting at that PC.

Customers Also Viewed These Support Documents