I had a remote access VPN set up with the "crypto map BLAH client authentication" command. Then I configured EZVPN remote devices and they were being prompted for a username a password. So I removed the crypto map statement and placed a vpngroup GROUPNAME client-authentication and a vpngroup authentication server SERVER command in the group set up. Now the EZVPN remote devices connect but the Remote Access VPN clients don't get prompted for authentication. What am I doing wrong?
I take that as a NO. :-)
How do you configure xauth for a remote EZVPN 501 client. If you need my current config let me know.
Can you post your configuration.
I am assuming that you are using your PIX as Remove and EzVPN server. (BTW: you can not use ezvpn client and VPN server as the same device).
Your query has made me curious ... I think I need to dig a little to lighten my rusty mind.
Hi .. actually you can use a PIX as vpn client and server at the same time .. In regards to the issue .. the easiest way to do it is by creating another VPN group for your remote users with Xauth. You will have to modify their profile ( new vpngroup and password ) accordingly.
I hope it helps .. please rate if it it does !!!
Here is the beef of it. If there is something missing that you would like to see, let me know.
Again, the issue is we have a remote access VPN (group2 in the config) that we would like to authenticate users. Group# in the config is a genuine site to site. I can get around xauth with the no-xauth command. Groups 4,5,and 6 are the EZVPN server settings. When the remote 501's connect to them they get prompted for a username and password unless I remove the crypto map client authentication command. But then the remote access VPN doesn't prompt.
if you keep the username on the pix try this, if not change to radius server
under the router config change this to match yours, if
crypto ipsec client ezvpn center_xxxxxx
group remote_sites key xxxxxxxxxxxxxxxx
username remote password xxxxxxxxxxxx
xauth userid mode local
on the pix make sure your keep the user accounts local. i am currently running ezvpn clients on my ASA and also authenticating users the for remote access too
Thanks, but the spoke isn't a router, it's a PIX 501 and the HUB is a 515E. The 515 is using RADIUS to authenticate users but it won't authenticate the EZVPN Clients (501's)