Solved

Setup multiple VPN users on Cisco PIX 501

Posted on 2006-11-13
7
228 Views
Last Modified: 2010-04-12
I have a PIX 501 and, for security reasons, I want to setup many VPN users with unique logins and passwords.  This way, if a laptop is stolen or the account is somehow compromised, I only need to remove that user's account on the PIX and not affect any other users.  Originally to achieve this, I was setting up a new group for each separate user.  Instead of 10 different group logins and passwords, is there a way to have a single group (ie: Sales) and have multiple user logins under that (ie: Tim, Erica, James, etc.)?

I'm very unfamiliar with this device still as I inherited this network last year and I'm still learning the device as problems occur.  Thank you in advance for any help anyone can offer!

M. LaMartina
0
Comment
Question by:mlamartina
  • 4
  • 3
7 Comments
 
LVL 32

Accepted Solution

by:
rsivanandan earned 350 total points
ID: 17931885
It would clutter the device itself. How about having the same group and let the users authenticate using their Active Directory credentials? This can be done using Radius authentication (Installing IAS on a windows server) and authenticate using their domain username/password. Easy on users and don't have different passwords to remember.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml

Cheers,
Rajesh
0
 

Author Comment

by:mlamartina
ID: 17948321
That looks like a possible answer...  Although, I was hoping for a solution at the firewall itself.  Our situation is stemming from some careless sales people.  They go on the road with our laptops and it's only a matter of time before one of them loses their machine or it's stolen.  When this happens, I want to make sure "the bad guys" don't get into that machine and automatically connecting directly into our network.  Ideally, if this happens, I would like to go to the PIX itself and say, "ok, Fred's machine was stolen, I'll remove Fred's account" and not affect any of the other VPN users.  Otherwise, if he's logging into the Sales Group along with 20 other users with identical credentials, I have to reset the password and visit each machine separately - which will be impossible if the sales team's laptops are on the other side of the country at a conference.  :-)

Great idea though - but would rather be able to disable at the PIX, if possible.  And it's not looking like it's possible...

Thanks,
M. LaMartina
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17948365
Guess what, if you configure it the way I have mentioned above, they'll have to give the domain login credentials even for getting connected to the network!

Now assume that if somebody has stolen the laptop, if he tries to connect, he will have to login with the user's credentials which I would assume is more safer. There are 2 authentications there;

1. First being group (which they will get through) but still connection won't be UP!
2. Second domain authentication, which will not be easy again since the Cisco vpn client won't store your password, you'll have to enter it everytime.

Cheers,
Rajesh
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:mlamartina
ID: 17948400
Hmmmm...  Sounds like a viable solution after all.  I'll give it a shot.  Thanks for the help and I'll let you know how it turns out.  It could be a day or two for me to get out from some of my other projects, but I'll keep you informed.

Thanks again,
ML
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17948447
I'm not saying that it is not possible what you're asking for but then the usual cribbing will come (Since they'll have to remember 2 passwords!, One for vpn and one for domain)

vpngroup myVpnGroup address-pool vpnpool

vpngroup myVpnGroup dns-server 10.131.31.11

vpngroup myVpnGroup wins-server 10.131.31.11

vpngroup myVpnGroup default-domain example.com

vpngroup myVpnGroup split-tunnel 90

vpngroup myVpnGroup idle-time 1800

vpngroup myVpnGroup max-time 86400

vpngroup myVpnGroup password ********


Something like above is possible but not advisible at any situation.

Try out and let me know.

Cheers,
Rajesh

0
 

Author Comment

by:mlamartina
ID: 18055701
Well, we're still not sure how we're going to tackle this situation, but since you helped me Rajesh and your solution does indeed work, the points are yours.  Thank you for the help.  -Mike
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 18058505
No probs.

Cheers,
Rajesh
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Two factor authentication 6 82
Windows 10 VPN? 6 87
VPN Access to Network 4 30
VPN issue 2 58
Like many others, when I created a Windows 2008 RRAS VPN server, I connected via PPTP, and still do, but there are problems that can arise from solely using PPTP.  One particular problem was that the CFO of the company used a Virgin Broadband Wirele…
Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question