Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Xauth on pix 506E


Does anyone know if it is possible to enable Xauth on pix. I have read multiple threads about using the following cmds:

username test123password testing privilege 2

aaa-server LOCAL protocol local

crypto map mycrypto client authentication LOCAL

However the f/w wont let me add the crypto map cmd, just comes back with the following:

PIX(config)# c.rypto map mycryptomap client authenication LOCAL

Usage:  [ show ] crypto { ca | dynamic-map | ipsec | isakmp | map | sa } ...

        show crypto engine [verify]

        [ show | clear ] crypto interface [counters]

Being pix I cant get anymore help from it. I also tried the following, but they dont work and I am not sure if they are meant for Xauth since I was under the impression that it had to be enabled globally.

PIX(config)# vpngroup test authentication-server LOCAL

Protocol "local" is not supported for authentication of remote users of a h/w client

PIX(config)# vpngroup test user-authentication       

Please configure an authentication server before enabling user authentication.

This is the details of the f/w:

Cisco PIX Firewall Version 6.3(5)

Cisco PIX Device Manager Version 3.0(4)

Hardware:   PIX-506E, 32 MB RAM, CPU Pentium II 300 MHz

Flash E28F640J3 @ 0x300, 8MB

BIOS Flash AM29F400B @ 0xfffd8000, 32KB

This PIX has a Restricted (R) license.

Has anyone encountered this problem or know how to fix it? Everything I read on Internet and past threads suggests that the crypto map cmd should work, so cant understand why the firewall wont take it.



Xauth on pix 506E

Remove the AAA server configuration and try entering the command on the crypto map.  Also, you don't need to specify an authentication-server group in the vpngroups

Xauth on pix 506E

Here is a link below from Cisco Docs, guide you all the steps of the way.


Rizwan Rafeek

New Member

Xauth on pix 506E

I gave up on this, after trying everything could never get to work. Was easier and better for my sanity to upgrade to an ASA