Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.

VPN client Authentication


I wanted to know is there way to authenticate VPN users without the ACS,such as on a PIX box or with the help of microsoft server.



New Member

Re: VPN client Authentication

There are a lot of ways to authenticate a VPN user even without ACS. You can configure your PIX firewall as VPN gateway which can authenticate a VPN user locally or you can implement XAUTH using RADIUS. The radius server can be any freely available compliant unix server or you you can use your windows domain controller for XAUTh using "Active Directory" as radius server. Again you can use one factor authentication or two factor authentication. The basic two factor authentication you can do with a PIX is that you can use the static IP address of the VPN client in PIX VPN config as the second factor (i.e. what you have) along with radius password (i.e. what you know). The limitation with this approach is that the VPN connectivity can be granted only from a previously configured IP address.

Otherwise you can implement a challenge response method as two factor authentication where you can use the tokens (software or hardware) as "what you have" to generate one time passwords, again these tokens can be configured as "response only mode" or "cahllenge resonse mode".

I have tested and implemented above mentioned methods successfully. Again if you already have a radius server working from your old installation and you don't want the headache of scrapping all that user database info and configuring it again on the new radius servers there are middleware radius" solutions available which can save your previous investment and are a lot cheaper (if you don't have thousands of VPN users).

New Member

Re: VPN client Authentication

The easiest way would be to run Radius on your Microsoft Server. You could then utilize the userlist in your NT domain since the Microsoft Radius authenticates against the NT domain.


CreatePlease to create content