Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

VPN user-authentication on PIX515E 6.3

Hi,

I would like to know how to configure a VPN client user authentication on PIX515E instead of group Authentication.

regards,

Gilbert

5 REPLIES

Re: VPN user-authentication on PIX515E 6.3

Gilbert

You can create local users database in PIX for user authentication, they still need to authenticate through the tunnel group though.

This link provides more info, it also applies to 6.x code.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008060f25c.shtml

Jorge

New Member

Re: VPN user-authentication on PIX515E 6.3

Jorge,

Here is the scenario:

I've a got a pix 515E setup for vpn client to access using group

authentication. There is a group authentication setup. Clients are able to connect by using this group profile on the vpn client. And I want to setup the why that after they click on that profile on the vpn client I want to setup a second authentication which is for the user Authentication.

regards,

gilbert

Re: VPN user-authentication on PIX515E 6.3

Currently your vpn clients connect using tunnel group authentication , in order to activate user authentication after they pass the group authentication. For this you to either confiure an external RADIUS server or build a LOCAL user database within the pix for your vpn users and you have to instruct firewall under your tunnel group how the clients will autenticate using LOCAL database, the local database you build the users within the PIX firewall and you have to configure each user name in the database, this is found under in the system properties tab/administration/user accounts.

For example to create two users: (privilege 0 is to not allow users admin access to firewall but RA vpn will use local user database for single user vpn autentication)

username user1 password xxxxxx privilege 0

username user2 password xxxxxx privilege 0

I beliebe in 6.x code under your current crypto map you would add bellow statement

crypto map outside_map client authentication LOCAL , but if you are running 7.x above the link provided shows how is done in 7.x

read carefully the link and scritp process.

Once you create this, your vpn users will get a second authentication window when the vpn-in.

Rgds

Jorge

New Member

Re: VPN user-authentication on PIX515E 6.3

Hi George,

I would like to know how you did it based only on Group Authentication. I dont need individual user authentication. Appreciate if you can pass a sample config. Thanks.

Re: VPN user-authentication on PIX515E 6.3

Hi Khaled,

If you just want to authenticate only through the tunnel group and not be prompted for individual user authentication it is posible, I had similar question a week ago.

Refer to this link, but I do not know if this command isakmp ikev1-user-authentication none exists in pix code 6.3.x if you are running 6.x code.

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&topicID=.ee6e1fa&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc0bc14

HTH

Rgds

-Jorge

PLS Rate any helpful post if it helped

149
Views
0
Helpful
5
Replies
CreatePlease to create content