Solved: Disable XAuth for Remote VPN Access

Florin Barhala · ‎07-10-2014

Hi guys,

I would like to know if I can skip XAuth for a Remote VPN Access on a router.

Here's my config, all working beautifully, still when connecting I would like not seeing any username&password window after clicking on the Vpn profile.

aaa authentication login VPNUSERSAUTH local

aaa authorization network VPNUSERS local

~~username ra-user privilege 0 secret 1cannotTELu~~

crypto isakmp policy 7

encr aes

hash sha

authentication pre-share

group 2

crypto isakmp client configuration group VPNUSERS

key theKEYallneedt0

pool VPN-POOL

acl ACL-SPLIT-VPN

crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map VPNDYNMAP 1

set transform-set ESP-AES128-SHA

reverse-route

crypto map MAP-OUTSIDE client authentication list VPNUSERSAUTH

crypto map MAP-OUTSIDE isakmp authorization list VPNUSERS

crypto map MAP-OUTSIDE client configuration address respond

crypto map MAP-OUTSIDE 6500 ipsec-isakmp dynamic VPNDYNMAP

ip local pool VPN-POOL 10.1.24.1 10.1.24.25

ip access-list extended ACL-SPLIT-VPN

permit ip 192.168.11.0 0.0.0.255 10.1.24.0 0.0.0.255

Many thanks!

Dinesh Moudgil · ‎07-10-2014

Hi Florin,

In case of remote access VPN , user has to be authenticated either via username/password or certificates.
You can deploy certificate based authentication as follows:-
http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/22520-unityclient-ios.html#router-config

This will use the certificate for user authentication and won't prompt for username/password.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

View solution in original post

Dinesh Moudgil · ‎07-10-2014

Hi Florin,

In case of remote access VPN , user has to be authenticated either via username/password or certificates.
You can deploy certificate based authentication as follows:-
http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/22520-unityclient-ios.html#router-config

This will use the certificate for user authentication and won't prompt for username/password.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

Marcin Latosiewicz · ‎07-10-2014

To add, IKE authentication can use RSA (certs, signature, encryption) or PSK, xauth can be done with user/pass only or skipped altogether.

To bypass xauth either remove client authentication or set the AAA group to none. It's been a while since I tested this. I think the latter should work on IOS.

Florin Barhala · ‎07-10-2014

Hi Marcin,

Before posting I tried:

aaa authentication login VPNUSERSAUTH none

But at this moment it's still asking for user and password and even more works with any local user.

I also tried:

aaa authorization network VPNUSERS none

After it, login windows ceased to pop up. So if you find a real method to skip this authentication...

Marcin Latosiewicz · ‎07-10-2014

Florin, did you by any chance tried removing the client authentication statement (from crypto map or isakmp profile).

M.

Florin Barhala · ‎07-10-2014

I think I did, but I will retry tomorrow. Either way I doubt it will work, but I will comeback with the outcome.

Marcin Latosiewicz · ‎07-10-2014

Florin,

I _remember_ this working with isakmp profile. But it's something I've done a couple of years ago at least.

M.