titanax
asked on
Need to authenticate user for Cisco VPN Client
Currently, I have a working VPN Client connection to my PIX515.
But I need to beef up the security, I need the Cisco to prompt for User & Password authentication.
How do I do this?
But I need to beef up the security, I need the Cisco to prompt for User & Password authentication.
How do I do this?
ASKER
I don't have any outside authentication - do I really need one?
Can I setup the pix do do that?
Can I setup the pix do do that?
The line I showed you above should make it able to authenticate using the local user database. The command was:
crypto map outside_map client authentication LOCAL
Notice "outside_map" should match the tag you are using..
crypto map outside_map client authentication LOCAL
Notice "outside_map" should match the tag you are using..
ASKER
sorry..I am new to this as well. How do I create a local database & how do I create a tag ?
If you have a working VPN, you already have a tag on your current crypto map. type "show crypto map" to see it:
Crypto Map: "outside_map" interfaces: { outside }
^
Tag
By default the PIX has a local database, I don't think you can disable it (although it can be empty). "show aaa-server":
aaa-server LOCAL protocol local
(You likely have other lines too, for radius, tacacs+)
So to populate the database, you use username - like this:
username jolly password rogers priv 1
Crypto Map: "outside_map" interfaces: { outside }
^
Tag
By default the PIX has a local database, I don't think you can disable it (although it can be empty). "show aaa-server":
aaa-server LOCAL protocol local
(You likely have other lines too, for radius, tacacs+)
So to populate the database, you use username - like this:
username jolly password rogers priv 1
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Just to clarify though, don't expect the users to appear in "show aaa-server" - they won't. "show user" will show the users configured.
ASKER
if the users do not appear - how do I track them / remove them or maintain the database?
ASKER
"username jolly password rogers priv 1"
what difference does the priority in privileges do? eg 1 & 2 ?
what difference does the priority in privileges do? eg 1 & 2 ?
They appear in the configuration, and you can see them all either by displaying the entire configuration or with the "show user" as above. You can remove them again with "no user jolly"
The PIX can't see a difference in the users you make for VPN, and those you make for logging into the PIX. It may not make a difference unless you later enable authentication for logins and/or authorization for commands. But if the users are solely meant for the VPN, it makes sense to make sure they have to lowest avaiable privileges.
The PIX can't see a difference in the users you make for VPN, and those you make for logging into the PIX. It may not make a difference unless you later enable authentication for logins and/or authorization for commands. But if the users are solely meant for the VPN, it makes sense to make sure they have to lowest avaiable privileges.
ASKER
So giving VPN users "priv 15" should be ok right?
Qn: Is there a limit to the no. of users I can create in the local database?
Qn: Is there a limit to the no. of users I can create in the local database?
Priviliege 1 is the lowest, 15 is the highest - so 15 is to be compared with administrator. I would use 1 (or 2) for VPN users.
I am not aware of any user limit, but I have never had many users on the PIX. I have not seen any limit mentioned anywhere though.
I am not aware of any user limit, but I have never had many users on the PIX. I have not seen any limit mentioned anywhere though.
ASKER
ok...thank you very much !
crypto map outside_map client authentication LOCAL
Unless you have some external authentication server (Radius or the likes)
Notice "outside_map" should match the tag you are using..