Setup multiple VPN users on Cisco PIX 501

I have a PIX 501 and, for security reasons, I want to setup many VPN users with unique logins and passwords.  This way, if a laptop is stolen or the account is somehow compromised, I only need to remove that user's account on the PIX and not affect any other users.  Originally to achieve this, I was setting up a new group for each separate user.  Instead of 10 different group logins and passwords, is there a way to have a single group (ie: Sales) and have multiple user logins under that (ie: Tim, Erica, James, etc.)?

I'm very unfamiliar with this device still as I inherited this network last year and I'm still learning the device as problems occur.  Thank you in advance for any help anyone can offer!

M. LaMartina
mlamartinaAsked:
Who is Participating?
 
rsivanandanConnect With a Mentor Commented:
It would clutter the device itself. How about having the same group and let the users authenticate using their Active Directory credentials? This can be done using Radius authentication (Installing IAS on a windows server) and authenticate using their domain username/password. Easy on users and don't have different passwords to remember.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml

Cheers,
Rajesh
0
 
mlamartinaAuthor Commented:
That looks like a possible answer...  Although, I was hoping for a solution at the firewall itself.  Our situation is stemming from some careless sales people.  They go on the road with our laptops and it's only a matter of time before one of them loses their machine or it's stolen.  When this happens, I want to make sure "the bad guys" don't get into that machine and automatically connecting directly into our network.  Ideally, if this happens, I would like to go to the PIX itself and say, "ok, Fred's machine was stolen, I'll remove Fred's account" and not affect any of the other VPN users.  Otherwise, if he's logging into the Sales Group along with 20 other users with identical credentials, I have to reset the password and visit each machine separately - which will be impossible if the sales team's laptops are on the other side of the country at a conference.  :-)

Great idea though - but would rather be able to disable at the PIX, if possible.  And it's not looking like it's possible...

Thanks,
M. LaMartina
0
 
rsivanandanCommented:
Guess what, if you configure it the way I have mentioned above, they'll have to give the domain login credentials even for getting connected to the network!

Now assume that if somebody has stolen the laptop, if he tries to connect, he will have to login with the user's credentials which I would assume is more safer. There are 2 authentications there;

1. First being group (which they will get through) but still connection won't be UP!
2. Second domain authentication, which will not be easy again since the Cisco vpn client won't store your password, you'll have to enter it everytime.

Cheers,
Rajesh
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
mlamartinaAuthor Commented:
Hmmmm...  Sounds like a viable solution after all.  I'll give it a shot.  Thanks for the help and I'll let you know how it turns out.  It could be a day or two for me to get out from some of my other projects, but I'll keep you informed.

Thanks again,
ML
0
 
rsivanandanCommented:
I'm not saying that it is not possible what you're asking for but then the usual cribbing will come (Since they'll have to remember 2 passwords!, One for vpn and one for domain)

vpngroup myVpnGroup address-pool vpnpool

vpngroup myVpnGroup dns-server 10.131.31.11

vpngroup myVpnGroup wins-server 10.131.31.11

vpngroup myVpnGroup default-domain example.com

vpngroup myVpnGroup split-tunnel 90

vpngroup myVpnGroup idle-time 1800

vpngroup myVpnGroup max-time 86400

vpngroup myVpnGroup password ********


Something like above is possible but not advisible at any situation.

Try out and let me know.

Cheers,
Rajesh

0
 
mlamartinaAuthor Commented:
Well, we're still not sure how we're going to tackle this situation, but since you helped me Rajesh and your solution does indeed work, the points are yours.  Thank you for the help.  -Mike
0
 
rsivanandanCommented:
No probs.

Cheers,
Rajesh
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.