Prompting Users for Password when launching Cisco VPN Client

I have a PIX 515 setup for VPN Client access for users using Cisco VPN Client. All works well, but I'm getting requests from management about forcing users to put in a password each and everytime they launch Cisco VPN Client from their home PCs.  This password authentication step would be separate from the VPN Group Authentication password already in theVPN Client profile.

How do I go about setting this up?  Many thanks in advance.
Audy BautistaDirector - Managed ServicesAsked:
Who is Participating?
 
chrisdixonConnect With a Mentor Commented:
Have you considered using local authentication on the PIX for VPN Client connections?
If you are running PIX OS version 6.3 or above, you can use a local user database (stored in the PIX itself) if an external RADIUS/TACACS server is not available.

You configure the PIX for local VPN authentication as follows:

aaa-server LOCAL protocol local
crypto map CRYPTO_MAP_NAME client authentication LOCAL (insert the correct name for your crypto map here)

and add users to the PIX database:
username johndoe password mysecretpassword privilege 15
username homeuser password letmein privilege 15
etc.

When VPN Client users connect, they will be prompted for their username/password as configured above.
0
 
grbladesCommented:
Hi keno9595,
I would advise that you make use of a separate Radius authentication server. This will give you this feature and also the added benefit of being able to issue ACL's to each individual users VPN session so you can limit what machines and services they can access.

I have documented this configuration on my website
PIX as multi user VPN server - http://www.gbnetwork.co.uk/networking/ciscopixvpnradius.html
0
 
Audy BautistaDirector - Managed ServicesAuthor Commented:
This sounds like a great solution, but I was hoping for a client side solution rather then a PIX configuration change.  Plus, although I have plenty of Cisco and Microsoft experience, unfortunately I don't have any Linux experience.  

Is there a Windows version of this software?  Is there a client side solution for this problem?
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
rmharwoodCommented:
Perhaps Cisco Secure Access Control Server is what you want:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/index.html
0
 
grbladesCommented:
You will have to modify the PIX configuration as it is the only way to get XAUTH enabled which is what is required for the client to prompt the user for the password.

There was a free copy of Cisco EasyACS that was given away with some products. Other than that I don't know of any free windows ones. As rmharwood said you would probably be better off with the Cisco ACS server if you have to run it on Windows.
0
 
Audy BautistaDirector - Managed ServicesAuthor Commented:
I have setup Cisco ACS Server before in one my past jobs, but my company is very tight when it comes to spending on Technology.  I think I'll probably go with Grblades' solution.  

Grblades, from start to finish how long would it take to setup your solution?  Thanks.
0
 
grbladesCommented:
Most of the time will probably be taken up installing Linux Fedora (Core 1 or 2 is fine). You can add the radius and vpn user ACL's that are shown in my example at any time. To enable extended authentication you just add this line:-
crypto map outside_map client authentication partnerauth
You can add it to make sure it works and just remove this single line if anything goes wrong.

Pasting in the lines into the PIX and adding and configuring the Radius server should take about 15 minutes but it depends how much you know Linux.
0
 
td_milesCommented:
You can use the windows RADIUS server that comes with windows 2000 & 2003 (I'm assuming that you have at least one of these, not too many places don't).

Cisco have step-by-step guide on how to configure the PIX & the windows server for this:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml

There is no client config, the config changes are to the PIX & the windows server.
0
 
cns13Commented:
But make sure you capitalize "LOCAL".  I just spent about an hour fiddling, swearing, kicking, etc. -all because I was typing it in lower case.  Since when is Cisco case sensitive?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.