Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Prompting Users for Password when launching Cisco VPN Client

Posted on 2004-08-12
9
Medium Priority
?
809 Views
Last Modified: 2013-11-16
I have a PIX 515 setup for VPN Client access for users using Cisco VPN Client. All works well, but I'm getting requests from management about forcing users to put in a password each and everytime they launch Cisco VPN Client from their home PCs.  This password authentication step would be separate from the VPN Group Authentication password already in theVPN Client profile.

How do I go about setting this up?  Many thanks in advance.
0
Comment
Question by:Audy Bautista
9 Comments
 
LVL 36

Expert Comment

by:grblades
ID: 11786588
Hi keno9595,
I would advise that you make use of a separate Radius authentication server. This will give you this feature and also the added benefit of being able to issue ACL's to each individual users VPN session so you can limit what machines and services they can access.

I have documented this configuration on my website
PIX as multi user VPN server - http://www.gbnetwork.co.uk/networking/ciscopixvpnradius.html
0
 

Author Comment

by:Audy Bautista
ID: 11786850
This sounds like a great solution, but I was hoping for a client side solution rather then a PIX configuration change.  Plus, although I have plenty of Cisco and Microsoft experience, unfortunately I don't have any Linux experience.  

Is there a Windows version of this software?  Is there a client side solution for this problem?
0
 
LVL 2

Expert Comment

by:rmharwood
ID: 11786895
Perhaps Cisco Secure Access Control Server is what you want:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/index.html
0
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

 
LVL 36

Expert Comment

by:grblades
ID: 11786972
You will have to modify the PIX configuration as it is the only way to get XAUTH enabled which is what is required for the client to prompt the user for the password.

There was a free copy of Cisco EasyACS that was given away with some products. Other than that I don't know of any free windows ones. As rmharwood said you would probably be better off with the Cisco ACS server if you have to run it on Windows.
0
 

Author Comment

by:Audy Bautista
ID: 11787098
I have setup Cisco ACS Server before in one my past jobs, but my company is very tight when it comes to spending on Technology.  I think I'll probably go with Grblades' solution.  

Grblades, from start to finish how long would it take to setup your solution?  Thanks.
0
 
LVL 36

Expert Comment

by:grblades
ID: 11787175
Most of the time will probably be taken up installing Linux Fedora (Core 1 or 2 is fine). You can add the radius and vpn user ACL's that are shown in my example at any time. To enable extended authentication you just add this line:-
crypto map outside_map client authentication partnerauth
You can add it to make sure it works and just remove this single line if anything goes wrong.

Pasting in the lines into the PIX and adding and configuring the Radius server should take about 15 minutes but it depends how much you know Linux.
0
 
LVL 13

Expert Comment

by:td_miles
ID: 11790348
You can use the windows RADIUS server that comes with windows 2000 & 2003 (I'm assuming that you have at least one of these, not too many places don't).

Cisco have step-by-step guide on how to configure the PIX & the windows server for this:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml

There is no client config, the config changes are to the PIX & the windows server.
0
 

Accepted Solution

by:
chrisdixon earned 750 total points
ID: 11844412
Have you considered using local authentication on the PIX for VPN Client connections?
If you are running PIX OS version 6.3 or above, you can use a local user database (stored in the PIX itself) if an external RADIUS/TACACS server is not available.

You configure the PIX for local VPN authentication as follows:

aaa-server LOCAL protocol local
crypto map CRYPTO_MAP_NAME client authentication LOCAL (insert the correct name for your crypto map here)

and add users to the PIX database:
username johndoe password mysecretpassword privilege 15
username homeuser password letmein privilege 15
etc.

When VPN Client users connect, they will be prompted for their username/password as configured above.
0
 

Expert Comment

by:cns13
ID: 14150632
But make sure you capitalize "LOCAL".  I just spent about an hour fiddling, swearing, kicking, etc. -all because I was typing it in lower case.  Since when is Cisco case sensitive?
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question