Link to home
Start Free TrialLog in
Avatar of titanax
titanax

asked on

Need to authenticate user for Cisco VPN Client

Currently, I have a working VPN Client connection to my PIX515.

But I need to beef up the security, I need the Cisco to prompt for User & Password authentication.

How do I do this?
Avatar of Voltz-dk
Voltz-dk
Flag of Denmark image

Try with this:

crypto map outside_map client authentication LOCAL

Unless you have some external authentication server (Radius or the likes)

Notice "outside_map" should match the tag you are using..
Avatar of titanax
titanax

ASKER

I don't have any outside authentication - do I really need one?

Can I setup the pix do do that?  
The line I showed you above should make it able to authenticate using the local user database.  The command was:

crypto map outside_map client authentication LOCAL

Notice "outside_map" should match the tag you are using..
Avatar of titanax

ASKER

sorry..I am new to this as well. How do I create a local database & how do I create a tag ?
If you have a working VPN, you already have a tag on your current crypto map.  type "show crypto map" to see it:

Crypto Map: "outside_map" interfaces: { outside }
                              ^
                             Tag

By default the PIX has a local database, I don't think you can disable it (although it can be empty). "show aaa-server":

aaa-server LOCAL protocol local
(You likely have other lines too, for radius, tacacs+)

So to populate the database, you use username - like this:

username jolly password rogers priv 1
ASKER CERTIFIED SOLUTION
Avatar of Voltz-dk
Voltz-dk
Flag of Denmark image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Just to clarify though, don't expect the users to appear in "show aaa-server" - they won't.  "show user" will show the users configured.
Avatar of titanax

ASKER

if the users do not appear - how do I track them / remove them or maintain the database?
Avatar of titanax

ASKER

"username jolly password rogers priv 1"

what difference does the priority in privileges do? eg 1 & 2 ?
They appear in the configuration, and you can see them all either by displaying the entire configuration or with the "show user" as above.  You can remove them again with "no user jolly"
The PIX can't see a difference in the users you make for VPN, and those you make for logging into the PIX.  It may not make a difference unless you later enable authentication for logins and/or authorization for commands.  But if the users are solely meant for the VPN, it makes sense to make sure they have to lowest avaiable privileges.
Avatar of titanax

ASKER

So giving VPN users "priv 15" should be ok right?

Qn: Is there a limit to the no. of users I can create in the local database?
Priviliege 1 is the lowest, 15 is the highest - so 15 is to be compared with administrator.  I would use 1 (or 2) for VPN users.

I am not aware of any user limit, but I have never had many users on the PIX.  I have not seen any limit mentioned anywhere though.
Avatar of titanax

ASKER

ok...thank you very much !