04-04-2012 09:02 AM
Hello,
looking for a solution to change VPN group password that was compromised. We are running ASA, users are connecting to corporate LAN over IPsec VPN. The VPN client and default profile is distributed to the users in the form of .exe file. Now, the VPN group password has to be changed. What are my options here? We are running AD, users are authenticated against AD when they login over VPN. One option is to distribute new VPN password to all users so they can manually enter it but this could be very time consuming and prone to errors and massive number of help desk calls.
Is anyone experiencing this task and solution would like to share?
Any suggestion is highly appreciated.
Regards,
Solved! Go to Solution.
04-04-2012 10:43 AM
The use of a group PSK does in fact enable users to copy the pcf file from a work machine on to a home machine and without the knowing the PSK gain access - yes they do need user auth but this is a dlp issue.
I would consider removing this problem once and for all by migrating to certificate based IKE phase 1
To your original point! There is no easy way of making this change:
Set up a new group with the revised PSK and issue new pcf files with the new details
Monitor usage of the old group and delete as appropriate.
Sent from Cisco Technical Support iPad App
04-04-2012 10:43 AM
The use of a group PSK does in fact enable users to copy the pcf file from a work machine on to a home machine and without the knowing the PSK gain access - yes they do need user auth but this is a dlp issue.
I would consider removing this problem once and for all by migrating to certificate based IKE phase 1
To your original point! There is no easy way of making this change:
Set up a new group with the revised PSK and issue new pcf files with the new details
Monitor usage of the old group and delete as appropriate.
Sent from Cisco Technical Support iPad App
04-04-2012 10:50 AM
hi David
thanks for prompt response
Yes, i agree that group PSK is not the most elegant solution and we are in the process of using some other auth method including certificates. But, we're not ready yet
For time being i will setup a new psf file and distribute it to all users.
Thanks again,
Appreciated.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: