Solved

Prompting Users for Password when launching Cisco VPN Client

Posted on 2004-08-12
9
800 Views
Last Modified: 2013-11-16
I have a PIX 515 setup for VPN Client access for users using Cisco VPN Client. All works well, but I'm getting requests from management about forcing users to put in a password each and everytime they launch Cisco VPN Client from their home PCs.  This password authentication step would be separate from the VPN Group Authentication password already in theVPN Client profile.

How do I go about setting this up?  Many thanks in advance.
0
Comment
Question by:Audy Bautista
9 Comments
 
LVL 36

Expert Comment

by:grblades
Comment Utility
Hi keno9595,
I would advise that you make use of a separate Radius authentication server. This will give you this feature and also the added benefit of being able to issue ACL's to each individual users VPN session so you can limit what machines and services they can access.

I have documented this configuration on my website
PIX as multi user VPN server - http://www.gbnetwork.co.uk/networking/ciscopixvpnradius.html
0
 

Author Comment

by:Audy Bautista
Comment Utility
This sounds like a great solution, but I was hoping for a client side solution rather then a PIX configuration change.  Plus, although I have plenty of Cisco and Microsoft experience, unfortunately I don't have any Linux experience.  

Is there a Windows version of this software?  Is there a client side solution for this problem?
0
 
LVL 2

Expert Comment

by:rmharwood
Comment Utility
Perhaps Cisco Secure Access Control Server is what you want:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/index.html
0
 
LVL 36

Expert Comment

by:grblades
Comment Utility
You will have to modify the PIX configuration as it is the only way to get XAUTH enabled which is what is required for the client to prompt the user for the password.

There was a free copy of Cisco EasyACS that was given away with some products. Other than that I don't know of any free windows ones. As rmharwood said you would probably be better off with the Cisco ACS server if you have to run it on Windows.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:Audy Bautista
Comment Utility
I have setup Cisco ACS Server before in one my past jobs, but my company is very tight when it comes to spending on Technology.  I think I'll probably go with Grblades' solution.  

Grblades, from start to finish how long would it take to setup your solution?  Thanks.
0
 
LVL 36

Expert Comment

by:grblades
Comment Utility
Most of the time will probably be taken up installing Linux Fedora (Core 1 or 2 is fine). You can add the radius and vpn user ACL's that are shown in my example at any time. To enable extended authentication you just add this line:-
crypto map outside_map client authentication partnerauth
You can add it to make sure it works and just remove this single line if anything goes wrong.

Pasting in the lines into the PIX and adding and configuring the Radius server should take about 15 minutes but it depends how much you know Linux.
0
 
LVL 13

Expert Comment

by:td_miles
Comment Utility
You can use the windows RADIUS server that comes with windows 2000 & 2003 (I'm assuming that you have at least one of these, not too many places don't).

Cisco have step-by-step guide on how to configure the PIX & the windows server for this:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml

There is no client config, the config changes are to the PIX & the windows server.
0
 

Accepted Solution

by:
chrisdixon earned 250 total points
Comment Utility
Have you considered using local authentication on the PIX for VPN Client connections?
If you are running PIX OS version 6.3 or above, you can use a local user database (stored in the PIX itself) if an external RADIUS/TACACS server is not available.

You configure the PIX for local VPN authentication as follows:

aaa-server LOCAL protocol local
crypto map CRYPTO_MAP_NAME client authentication LOCAL (insert the correct name for your crypto map here)

and add users to the PIX database:
username johndoe password mysecretpassword privilege 15
username homeuser password letmein privilege 15
etc.

When VPN Client users connect, they will be prompted for their username/password as configured above.
0
 

Expert Comment

by:cns13
Comment Utility
But make sure you capitalize "LOCAL".  I just spent about an hour fiddling, swearing, kicking, etc. -all because I was typing it in lower case.  Since when is Cisco case sensitive?
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now