Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Massive VPN password change required

Hello,

looking for a solution to change VPN group password that was compromised. We are running ASA, users are connecting to corporate LAN over IPsec VPN. The VPN client and default profile is distributed to the users in the form of .exe file. Now, the VPN group password has to be changed. What are my options here? We are running AD, users are authenticated against AD when they login over VPN. One option is to distribute new VPN password to all users so they can manually enter it but this could be very time consuming and prone to errors and massive number of help desk calls.

Is anyone experiencing this task and solution would like to share?

Any suggestion is highly appreciated.

Regards,

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: Massive VPN password change required

The use of a group PSK does in fact enable users to copy the pcf file from a work machine on to a home machine and without the knowing the PSK gain access - yes they do need user auth but this is a dlp issue.

I would consider removing this problem once and for all by migrating to certificate based IKE phase 1

To your original point! There is no easy way of making this change:

Set up a new group with the revised PSK and issue new pcf files with the new details

Monitor usage of the old group and delete as appropriate.

Sent from Cisco Technical Support iPad App

2 REPLIES
New Member

Re: Massive VPN password change required

The use of a group PSK does in fact enable users to copy the pcf file from a work machine on to a home machine and without the knowing the PSK gain access - yes they do need user auth but this is a dlp issue.

I would consider removing this problem once and for all by migrating to certificate based IKE phase 1

To your original point! There is no easy way of making this change:

Set up a new group with the revised PSK and issue new pcf files with the new details

Monitor usage of the old group and delete as appropriate.

Sent from Cisco Technical Support iPad App

New Member

Re: Massive VPN password change required

hi David

thanks for prompt response

Yes, i agree that group PSK is not the most elegant solution and we are in the process of using some other auth method including certificates. But, we're not ready yet

For time being i will setup a new psf file and distribute it to all users.

Thanks again,

Appreciated.

294
Views
0
Helpful
2
Replies
CreatePlease login to create content