Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Prompting Users for Password when launching Cisco VPN Client

Posted on 2004-08-12
9
Medium Priority
?
808 Views
Last Modified: 2013-11-16
I have a PIX 515 setup for VPN Client access for users using Cisco VPN Client. All works well, but I'm getting requests from management about forcing users to put in a password each and everytime they launch Cisco VPN Client from their home PCs.  This password authentication step would be separate from the VPN Group Authentication password already in theVPN Client profile.

How do I go about setting this up?  Many thanks in advance.
0
Comment
Question by:Audy Bautista
9 Comments
 
LVL 36

Expert Comment

by:grblades
ID: 11786588
Hi keno9595,
I would advise that you make use of a separate Radius authentication server. This will give you this feature and also the added benefit of being able to issue ACL's to each individual users VPN session so you can limit what machines and services they can access.

I have documented this configuration on my website
PIX as multi user VPN server - http://www.gbnetwork.co.uk/networking/ciscopixvpnradius.html
0
 

Author Comment

by:Audy Bautista
ID: 11786850
This sounds like a great solution, but I was hoping for a client side solution rather then a PIX configuration change.  Plus, although I have plenty of Cisco and Microsoft experience, unfortunately I don't have any Linux experience.  

Is there a Windows version of this software?  Is there a client side solution for this problem?
0
 
LVL 2

Expert Comment

by:rmharwood
ID: 11786895
Perhaps Cisco Secure Access Control Server is what you want:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/index.html
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

 
LVL 36

Expert Comment

by:grblades
ID: 11786972
You will have to modify the PIX configuration as it is the only way to get XAUTH enabled which is what is required for the client to prompt the user for the password.

There was a free copy of Cisco EasyACS that was given away with some products. Other than that I don't know of any free windows ones. As rmharwood said you would probably be better off with the Cisco ACS server if you have to run it on Windows.
0
 

Author Comment

by:Audy Bautista
ID: 11787098
I have setup Cisco ACS Server before in one my past jobs, but my company is very tight when it comes to spending on Technology.  I think I'll probably go with Grblades' solution.  

Grblades, from start to finish how long would it take to setup your solution?  Thanks.
0
 
LVL 36

Expert Comment

by:grblades
ID: 11787175
Most of the time will probably be taken up installing Linux Fedora (Core 1 or 2 is fine). You can add the radius and vpn user ACL's that are shown in my example at any time. To enable extended authentication you just add this line:-
crypto map outside_map client authentication partnerauth
You can add it to make sure it works and just remove this single line if anything goes wrong.

Pasting in the lines into the PIX and adding and configuring the Radius server should take about 15 minutes but it depends how much you know Linux.
0
 
LVL 13

Expert Comment

by:td_miles
ID: 11790348
You can use the windows RADIUS server that comes with windows 2000 & 2003 (I'm assuming that you have at least one of these, not too many places don't).

Cisco have step-by-step guide on how to configure the PIX & the windows server for this:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml

There is no client config, the config changes are to the PIX & the windows server.
0
 

Accepted Solution

by:
chrisdixon earned 750 total points
ID: 11844412
Have you considered using local authentication on the PIX for VPN Client connections?
If you are running PIX OS version 6.3 or above, you can use a local user database (stored in the PIX itself) if an external RADIUS/TACACS server is not available.

You configure the PIX for local VPN authentication as follows:

aaa-server LOCAL protocol local
crypto map CRYPTO_MAP_NAME client authentication LOCAL (insert the correct name for your crypto map here)

and add users to the PIX database:
username johndoe password mysecretpassword privilege 15
username homeuser password letmein privilege 15
etc.

When VPN Client users connect, they will be prompted for their username/password as configured above.
0
 

Expert Comment

by:cns13
ID: 14150632
But make sure you capitalize "LOCAL".  I just spent about an hour fiddling, swearing, kicking, etc. -all because I was typing it in lower case.  Since when is Cisco case sensitive?
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses
Course of the Month12 days, 12 hours left to enroll

972 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question