cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
464
Views
0
Helpful
2
Replies

Massive VPN password change required

endpoint
Level 1
Level 1

Hello,

looking for a solution to change VPN group password that was compromised. We are running ASA, users are connecting to corporate LAN over IPsec VPN. The VPN client and default profile is distributed to the users in the form of .exe file. Now, the VPN group password has to be changed. What are my options here? We are running AD, users are authenticated against AD when they login over VPN. One option is to distribute new VPN password to all users so they can manually enter it but this could be very time consuming and prone to errors and massive number of help desk calls.

Is anyone experiencing this task and solution would like to share?

Any suggestion is highly appreciated.

Regards,

1 Accepted Solution

Accepted Solutions

david.g.white
Level 1
Level 1

The use of a group PSK does in fact enable users to copy the pcf file from a work machine on to a home machine and without the knowing the PSK gain access - yes they do need user auth but this is a dlp issue.

I would consider removing this problem once and for all by migrating to certificate based IKE phase 1

To your original point! There is no easy way of making this change:

Set up a new group with the revised PSK and issue new pcf files with the new details

Monitor usage of the old group and delete as appropriate.

Sent from Cisco Technical Support iPad App

View solution in original post

2 Replies 2

david.g.white
Level 1
Level 1

The use of a group PSK does in fact enable users to copy the pcf file from a work machine on to a home machine and without the knowing the PSK gain access - yes they do need user auth but this is a dlp issue.

I would consider removing this problem once and for all by migrating to certificate based IKE phase 1

To your original point! There is no easy way of making this change:

Set up a new group with the revised PSK and issue new pcf files with the new details

Monitor usage of the old group and delete as appropriate.

Sent from Cisco Technical Support iPad App

hi David

thanks for prompt response

Yes, i agree that group PSK is not the most elegant solution and we are in the process of using some other auth method including certificates. But, we're not ready yet

For time being i will setup a new psf file and distribute it to all users.

Thanks again,

Appreciated.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: