Solved

Setup multiple VPN users on Cisco PIX 501

Posted on 2006-11-13
7
248 Views
Last Modified: 2010-04-12
I have a PIX 501 and, for security reasons, I want to setup many VPN users with unique logins and passwords.  This way, if a laptop is stolen or the account is somehow compromised, I only need to remove that user's account on the PIX and not affect any other users.  Originally to achieve this, I was setting up a new group for each separate user.  Instead of 10 different group logins and passwords, is there a way to have a single group (ie: Sales) and have multiple user logins under that (ie: Tim, Erica, James, etc.)?

I'm very unfamiliar with this device still as I inherited this network last year and I'm still learning the device as problems occur.  Thank you in advance for any help anyone can offer!

M. LaMartina
0
Comment
Question by:mlamartina
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 32

Accepted Solution

by:
rsivanandan earned 350 total points
ID: 17931885
It would clutter the device itself. How about having the same group and let the users authenticate using their Active Directory credentials? This can be done using Radius authentication (Installing IAS on a windows server) and authenticate using their domain username/password. Easy on users and don't have different passwords to remember.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml

Cheers,
Rajesh
0
 

Author Comment

by:mlamartina
ID: 17948321
That looks like a possible answer...  Although, I was hoping for a solution at the firewall itself.  Our situation is stemming from some careless sales people.  They go on the road with our laptops and it's only a matter of time before one of them loses their machine or it's stolen.  When this happens, I want to make sure "the bad guys" don't get into that machine and automatically connecting directly into our network.  Ideally, if this happens, I would like to go to the PIX itself and say, "ok, Fred's machine was stolen, I'll remove Fred's account" and not affect any of the other VPN users.  Otherwise, if he's logging into the Sales Group along with 20 other users with identical credentials, I have to reset the password and visit each machine separately - which will be impossible if the sales team's laptops are on the other side of the country at a conference.  :-)

Great idea though - but would rather be able to disable at the PIX, if possible.  And it's not looking like it's possible...

Thanks,
M. LaMartina
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17948365
Guess what, if you configure it the way I have mentioned above, they'll have to give the domain login credentials even for getting connected to the network!

Now assume that if somebody has stolen the laptop, if he tries to connect, he will have to login with the user's credentials which I would assume is more safer. There are 2 authentications there;

1. First being group (which they will get through) but still connection won't be UP!
2. Second domain authentication, which will not be easy again since the Cisco vpn client won't store your password, you'll have to enter it everytime.

Cheers,
Rajesh
0
Ready to trade in that old firewall?

Whether you need to trade-up to a shiny new Firebox or just ready to upgrade from whatever appliance you're using now, WatchGuard has the right appliance for you! Find your perfect Firebox today with appliance sizing tool!

 

Author Comment

by:mlamartina
ID: 17948400
Hmmmm...  Sounds like a viable solution after all.  I'll give it a shot.  Thanks for the help and I'll let you know how it turns out.  It could be a day or two for me to get out from some of my other projects, but I'll keep you informed.

Thanks again,
ML
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17948447
I'm not saying that it is not possible what you're asking for but then the usual cribbing will come (Since they'll have to remember 2 passwords!, One for vpn and one for domain)

vpngroup myVpnGroup address-pool vpnpool

vpngroup myVpnGroup dns-server 10.131.31.11

vpngroup myVpnGroup wins-server 10.131.31.11

vpngroup myVpnGroup default-domain example.com

vpngroup myVpnGroup split-tunnel 90

vpngroup myVpnGroup idle-time 1800

vpngroup myVpnGroup max-time 86400

vpngroup myVpnGroup password ********


Something like above is possible but not advisible at any situation.

Try out and let me know.

Cheers,
Rajesh

0
 

Author Comment

by:mlamartina
ID: 18055701
Well, we're still not sure how we're going to tackle this situation, but since you helped me Rajesh and your solution does indeed work, the points are yours.  Thank you for the help.  -Mike
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 18058505
No probs.

Cheers,
Rajesh
0

Featured Post

Are You Headed to Black Hat USA 2017?

Getting ready for Black Hat next week? Kick things off with the WatchGuard Badge Challenge and test your puzzle and cipher skills. Do you have what it takes to earn our limited edition Firebox Badge? Get started today - https://crimsonthorn.net

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question