Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN with user names in pix firewall

Is there anyway to make my VPN connections into my pix user specific?

I know that is possible with the 3000 concentrator but not sure if you can do it with a pix. I have about 10 people that need to VPN in.

Can each VPN have a diffrent password?

Reason is: If I let 1 person go I don't want to have to worry about changing passwords for everyone just deleting an account.

Thanks

Anthony

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: VPN with user names in pix firewall

VPN connection into a PIX should always be authenticated with an additional username/password for extra security. Up till v6.3 you used to have to store these usernames/passwords in an external Radius/TACACS server, but in 6.3 now you can use the local user database on the PIX to store these.

The commands are:

> crypto map client authentication LOCAL

> username password

You can have as many "username ....." commands as you like. If someone leaves your company simply remove there name from the list.

5 REPLIES
Cisco Employee

Re: VPN with user names in pix firewall

VPN connection into a PIX should always be authenticated with an additional username/password for extra security. Up till v6.3 you used to have to store these usernames/passwords in an external Radius/TACACS server, but in 6.3 now you can use the local user database on the PIX to store these.

The commands are:

> crypto map client authentication LOCAL

> username password

You can have as many "username ....." commands as you like. If someone leaves your company simply remove there name from the list.

New Member

Re: VPN with user names in pix firewall

Hey, question for you. I am new to IPSEC and IKE...., and I am using PPTP currently since in 6.2 local accounts were supported, but I am trying to configure per your info with the crypto map and am having difficulty figuring it out.

So will I be creating the ISAKMP and crypt commands, keeping ISAKMP auth pre-share (since it does not look like it supports the local user DB), or will I not need ISAKMP if I am using the crypt map auth local command, or do I need both? How do I configure the Cisco VPN client to make the IKE SA and IPSEC SA if the pre-shared password is not the same as the local account

My understanding is I need both the ISAKMP and Crypto commands to get the VPN connection to work, but how the "crypto map client authentication LOCAL" command fits into the client VPN config I am not seeing. How does VPNGROUP fit into all of this?

I will be using the 3.X VPN client for windows 2000/XP

Thanks a lot for any help

Jeff

New Member

Re: VPN with user names in pix firewall

You can't use 6.2.

You have to upgrade to 6.3, it now supperts local authentication. After you upgrade you will see the options.

aaa-server LOCAL protocol local

crypto map mymap client authentication LOCAL.

username test password test

New Member

Re: VPN with user names in pix firewall

Cool, got it. However, I have not found any documentation on the actual configuration for this setup (i.e becuase I don't have the knowledge necessary its kind of difficult to fly by my pants). Like, I know that PPTP is microsoft specific, but now we are talking about IPSEC which I am not sure how IKE,ISAKMP and CRYTPO all come into play. I have the docs to configure a VPN tunnel between two PIXs, but how does that compare to a remote access VPN using IPSEC but not a preshared key string for all users.

Thanks

Jeff

New Member

Re: VPN with user names in pix firewall

239
Views
0
Helpful
5
Replies
CreatePlease login to create content