Solved

Prompting Users for Password when launching Cisco VPN Client

Posted on 2004-08-12
9
802 Views
Last Modified: 2013-11-16
I have a PIX 515 setup for VPN Client access for users using Cisco VPN Client. All works well, but I'm getting requests from management about forcing users to put in a password each and everytime they launch Cisco VPN Client from their home PCs.  This password authentication step would be separate from the VPN Group Authentication password already in theVPN Client profile.

How do I go about setting this up?  Many thanks in advance.
0
Comment
Question by:Audy Bautista
9 Comments
 
LVL 36

Expert Comment

by:grblades
ID: 11786588
Hi keno9595,
I would advise that you make use of a separate Radius authentication server. This will give you this feature and also the added benefit of being able to issue ACL's to each individual users VPN session so you can limit what machines and services they can access.

I have documented this configuration on my website
PIX as multi user VPN server - http://www.gbnetwork.co.uk/networking/ciscopixvpnradius.html
0
 

Author Comment

by:Audy Bautista
ID: 11786850
This sounds like a great solution, but I was hoping for a client side solution rather then a PIX configuration change.  Plus, although I have plenty of Cisco and Microsoft experience, unfortunately I don't have any Linux experience.  

Is there a Windows version of this software?  Is there a client side solution for this problem?
0
 
LVL 2

Expert Comment

by:rmharwood
ID: 11786895
Perhaps Cisco Secure Access Control Server is what you want:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/index.html
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 36

Expert Comment

by:grblades
ID: 11786972
You will have to modify the PIX configuration as it is the only way to get XAUTH enabled which is what is required for the client to prompt the user for the password.

There was a free copy of Cisco EasyACS that was given away with some products. Other than that I don't know of any free windows ones. As rmharwood said you would probably be better off with the Cisco ACS server if you have to run it on Windows.
0
 

Author Comment

by:Audy Bautista
ID: 11787098
I have setup Cisco ACS Server before in one my past jobs, but my company is very tight when it comes to spending on Technology.  I think I'll probably go with Grblades' solution.  

Grblades, from start to finish how long would it take to setup your solution?  Thanks.
0
 
LVL 36

Expert Comment

by:grblades
ID: 11787175
Most of the time will probably be taken up installing Linux Fedora (Core 1 or 2 is fine). You can add the radius and vpn user ACL's that are shown in my example at any time. To enable extended authentication you just add this line:-
crypto map outside_map client authentication partnerauth
You can add it to make sure it works and just remove this single line if anything goes wrong.

Pasting in the lines into the PIX and adding and configuring the Radius server should take about 15 minutes but it depends how much you know Linux.
0
 
LVL 13

Expert Comment

by:td_miles
ID: 11790348
You can use the windows RADIUS server that comes with windows 2000 & 2003 (I'm assuming that you have at least one of these, not too many places don't).

Cisco have step-by-step guide on how to configure the PIX & the windows server for this:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml

There is no client config, the config changes are to the PIX & the windows server.
0
 

Accepted Solution

by:
chrisdixon earned 250 total points
ID: 11844412
Have you considered using local authentication on the PIX for VPN Client connections?
If you are running PIX OS version 6.3 or above, you can use a local user database (stored in the PIX itself) if an external RADIUS/TACACS server is not available.

You configure the PIX for local VPN authentication as follows:

aaa-server LOCAL protocol local
crypto map CRYPTO_MAP_NAME client authentication LOCAL (insert the correct name for your crypto map here)

and add users to the PIX database:
username johndoe password mysecretpassword privilege 15
username homeuser password letmein privilege 15
etc.

When VPN Client users connect, they will be prompted for their username/password as configured above.
0
 

Expert Comment

by:cns13
ID: 14150632
But make sure you capitalize "LOCAL".  I just spent about an hour fiddling, swearing, kicking, etc. -all because I was typing it in lower case.  Since when is Cisco case sensitive?
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question