Solved

Setup multiple VPN users on Cisco PIX 501

Posted on 2006-11-13
7
209 Views
Last Modified: 2010-04-12
I have a PIX 501 and, for security reasons, I want to setup many VPN users with unique logins and passwords.  This way, if a laptop is stolen or the account is somehow compromised, I only need to remove that user's account on the PIX and not affect any other users.  Originally to achieve this, I was setting up a new group for each separate user.  Instead of 10 different group logins and passwords, is there a way to have a single group (ie: Sales) and have multiple user logins under that (ie: Tim, Erica, James, etc.)?

I'm very unfamiliar with this device still as I inherited this network last year and I'm still learning the device as problems occur.  Thank you in advance for any help anyone can offer!

M. LaMartina
0
Comment
Question by:mlamartina
  • 4
  • 3
7 Comments
 
LVL 32

Accepted Solution

by:
rsivanandan earned 350 total points
Comment Utility
It would clutter the device itself. How about having the same group and let the users authenticate using their Active Directory credentials? This can be done using Radius authentication (Installing IAS on a windows server) and authenticate using their domain username/password. Easy on users and don't have different passwords to remember.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml

Cheers,
Rajesh
0
 

Author Comment

by:mlamartina
Comment Utility
That looks like a possible answer...  Although, I was hoping for a solution at the firewall itself.  Our situation is stemming from some careless sales people.  They go on the road with our laptops and it's only a matter of time before one of them loses their machine or it's stolen.  When this happens, I want to make sure "the bad guys" don't get into that machine and automatically connecting directly into our network.  Ideally, if this happens, I would like to go to the PIX itself and say, "ok, Fred's machine was stolen, I'll remove Fred's account" and not affect any of the other VPN users.  Otherwise, if he's logging into the Sales Group along with 20 other users with identical credentials, I have to reset the password and visit each machine separately - which will be impossible if the sales team's laptops are on the other side of the country at a conference.  :-)

Great idea though - but would rather be able to disable at the PIX, if possible.  And it's not looking like it's possible...

Thanks,
M. LaMartina
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
Guess what, if you configure it the way I have mentioned above, they'll have to give the domain login credentials even for getting connected to the network!

Now assume that if somebody has stolen the laptop, if he tries to connect, he will have to login with the user's credentials which I would assume is more safer. There are 2 authentications there;

1. First being group (which they will get through) but still connection won't be UP!
2. Second domain authentication, which will not be easy again since the Cisco vpn client won't store your password, you'll have to enter it everytime.

Cheers,
Rajesh
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:mlamartina
Comment Utility
Hmmmm...  Sounds like a viable solution after all.  I'll give it a shot.  Thanks for the help and I'll let you know how it turns out.  It could be a day or two for me to get out from some of my other projects, but I'll keep you informed.

Thanks again,
ML
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
I'm not saying that it is not possible what you're asking for but then the usual cribbing will come (Since they'll have to remember 2 passwords!, One for vpn and one for domain)

vpngroup myVpnGroup address-pool vpnpool

vpngroup myVpnGroup dns-server 10.131.31.11

vpngroup myVpnGroup wins-server 10.131.31.11

vpngroup myVpnGroup default-domain example.com

vpngroup myVpnGroup split-tunnel 90

vpngroup myVpnGroup idle-time 1800

vpngroup myVpnGroup max-time 86400

vpngroup myVpnGroup password ********


Something like above is possible but not advisible at any situation.

Try out and let me know.

Cheers,
Rajesh

0
 

Author Comment

by:mlamartina
Comment Utility
Well, we're still not sure how we're going to tackle this situation, but since you helped me Rajesh and your solution does indeed work, the points are yours.  Thank you for the help.  -Mike
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
No probs.

Cheers,
Rajesh
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now