Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Disable XAuth for Remote VPN Access

Hi guys,

I would like to know if I can skip XAuth for a Remote VPN Access on a router.

Here's my config, all working beautifully, still when connecting I would like not seeing any username&password window after clicking on the Vpn profile.

aaa authentication login VPNUSERSAUTH local
aaa authorization network VPNUSERS local
username ra-user privilege 0 secret 1cannotTELu
 
crypto isakmp policy 7
 encr aes
 hash sha
 authentication pre-share
 group 2
 
crypto isakmp client configuration group VPNUSERS
 key theKEYallneedt0
pool VPN-POOL
acl ACL-SPLIT-VPN
 
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map VPNDYNMAP 1
 set transform-set ESP-AES128-SHA
 reverse-route
 
crypto map MAP-OUTSIDE client authentication list VPNUSERSAUTH
 crypto map MAP-OUTSIDE isakmp authorization list VPNUSERS
 crypto map MAP-OUTSIDE client configuration address respond
  crypto map MAP-OUTSIDE 6500 ipsec-isakmp dynamic VPNDYNMAP
 
ip local pool VPN-POOL 10.1.24.1 10.1.24.25
 ip access-list extended ACL-SPLIT-VPN
permit ip 192.168.11.0 0.0.0.255 10.1.24.0 0.0.0.255
 
Many thanks!
Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Hi Florin,In case of remote

Hi Florin,


In case of remote access VPN , user has to be authenticated either via username/password or certificates.
You can deploy certificate based authentication as follows:-
http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/22520-unityclient-ios.html#router-config

This will use the certificate for user authentication and won't prompt for username/password.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

6 REPLIES
Cisco Employee

Hi Florin,In case of remote

Hi Florin,


In case of remote access VPN , user has to be authenticated either via username/password or certificates.
You can deploy certificate based authentication as follows:-
http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/22520-unityclient-ios.html#router-config

This will use the certificate for user authentication and won't prompt for username/password.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Employee

To add, IKE authentication

To add, IKE authentication can use RSA (certs, signature, encryption) or PSK, xauth can be done with user/pass only or skipped altogether. 

To bypass xauth either remove client authentication or set the AAA group to none. It's been a while since I tested this. I think the latter should work on IOS. 

Hi Marcin,Before posting I

Hi Marcin,

Before posting I tried:

aaa authentication login VPNUSERSAUTH none
 
But at this moment it's still asking for user and password and even more works with any local user.
I also tried:
aaa authorization network VPNUSERS none
 
After it, login windows ceased to pop up. So if you find a real method to skip this authentication...
Cisco Employee

Florin, did you by any chance

Florin, did you by any chance tried removing the client authentication statement (from crypto map or isakmp profile).

 

M.

 

I think I did, but I will

I think I did, but I will retry tomorrow. Either way I doubt it will work, but I will comeback with the outcome.

Cisco Employee

Florin,I _remember_ this

Florin,

I _remember_ this working with isakmp profile. But it's something I've done a couple of years ago at least. 

 

M.

379
Views
0
Helpful
6
Replies
CreatePlease to create content