Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Is AAA mandatory for remote acces VPN client

Is it possible to configure remote access VPN client version 4.6.*** for windows without having any AAA server available on inside network. In this case how authentication can be done ?


Re: Is AAA mandatory for remote acces VPN client

Yes this is possible, but not advisable. As the group settings are pre-configured and VPN clients are normally roaming users the theft or loss of a laptop could compromise network security.

When the Client connects the configured group name and pre-shared key (Client password) need to match those configured on the server.

Optionally then a second authentication prompt is offered where the user enters a username and password matching one configured in a local database.

The actual method would depend on the VPN server, if its a router or VPN concentrator then you can use a local database for the second authentication step, although this can be turned off if the additional security is not required.

If its a PIX (6.x) no local database is provided you either do without or use an external server. PIX version 7 does have a local database, but I've not used that version myself yet.

What VPN device do you intend to use?

New Member

Re: Is AAA mandatory for remote acces VPN client

Actually, the PIX with 6.3 have the ability with LOCAL database configuration for VPN-users.

Best Regards

Robert Maras

New Member

Re: Is AAA mandatory for remote acces VPN client


If Pix 6.3 , has ability to to use Local database to authenticate users coming over a VPN connection from outside world. Can I use it like AAA server. with no considerable CPU over head ?

Any configuration example available on cisco website where this command is used for remote VPN client user authorisation ?


Re: Is AAA mandatory for remote acces VPN client

pix only offers local authentication, and the load on cpu is not that much.


access-list 101 permit ip

access-list 120 permit ip

nat (inside) 0 access-list 101

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp identity address

isakmp nat-traversal 20

crypto ipsec transform-set vpnset esp-3des esp-md5-hmac

ip local pool ippool

vpngroup vpnclient address-pool ippool

vpngroup vpnclient idle-time 1800

vpngroup vpnclient dns-server

vpngroup vpnclient password cisco456

vpngroup vpnclient split-tunnel 120

crypto dynamic-map dynmap 10 set transform-set vpnset

crypto map remote_vpn 20 ipsec-isakmp dynamic dynmap

username cisco password cisco123

aaa-server LOCAL protocol local

crypto map remote_vpn client authentication LOCAL

crypto map remote_vpn client configuration address initiate

crypto map remote_vpn client configuration address respond

with the sample above, the command "crypto map remote_vpn client authentication LOCAL" enables the local authentication; whereas the command "username cisco password cisco123" is used to create the local database.

CreatePlease to create content