Solved

Setup multiple VPN users on Cisco PIX 501

Posted on 2006-11-13
7
244 Views
Last Modified: 2010-04-12
I have a PIX 501 and, for security reasons, I want to setup many VPN users with unique logins and passwords.  This way, if a laptop is stolen or the account is somehow compromised, I only need to remove that user's account on the PIX and not affect any other users.  Originally to achieve this, I was setting up a new group for each separate user.  Instead of 10 different group logins and passwords, is there a way to have a single group (ie: Sales) and have multiple user logins under that (ie: Tim, Erica, James, etc.)?

I'm very unfamiliar with this device still as I inherited this network last year and I'm still learning the device as problems occur.  Thank you in advance for any help anyone can offer!

M. LaMartina
0
Comment
Question by:mlamartina
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 32

Accepted Solution

by:
rsivanandan earned 350 total points
ID: 17931885
It would clutter the device itself. How about having the same group and let the users authenticate using their Active Directory credentials? This can be done using Radius authentication (Installing IAS on a windows server) and authenticate using their domain username/password. Easy on users and don't have different passwords to remember.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml

Cheers,
Rajesh
0
 

Author Comment

by:mlamartina
ID: 17948321
That looks like a possible answer...  Although, I was hoping for a solution at the firewall itself.  Our situation is stemming from some careless sales people.  They go on the road with our laptops and it's only a matter of time before one of them loses their machine or it's stolen.  When this happens, I want to make sure "the bad guys" don't get into that machine and automatically connecting directly into our network.  Ideally, if this happens, I would like to go to the PIX itself and say, "ok, Fred's machine was stolen, I'll remove Fred's account" and not affect any of the other VPN users.  Otherwise, if he's logging into the Sales Group along with 20 other users with identical credentials, I have to reset the password and visit each machine separately - which will be impossible if the sales team's laptops are on the other side of the country at a conference.  :-)

Great idea though - but would rather be able to disable at the PIX, if possible.  And it's not looking like it's possible...

Thanks,
M. LaMartina
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17948365
Guess what, if you configure it the way I have mentioned above, they'll have to give the domain login credentials even for getting connected to the network!

Now assume that if somebody has stolen the laptop, if he tries to connect, he will have to login with the user's credentials which I would assume is more safer. There are 2 authentications there;

1. First being group (which they will get through) but still connection won't be UP!
2. Second domain authentication, which will not be easy again since the Cisco vpn client won't store your password, you'll have to enter it everytime.

Cheers,
Rajesh
0
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

 

Author Comment

by:mlamartina
ID: 17948400
Hmmmm...  Sounds like a viable solution after all.  I'll give it a shot.  Thanks for the help and I'll let you know how it turns out.  It could be a day or two for me to get out from some of my other projects, but I'll keep you informed.

Thanks again,
ML
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17948447
I'm not saying that it is not possible what you're asking for but then the usual cribbing will come (Since they'll have to remember 2 passwords!, One for vpn and one for domain)

vpngroup myVpnGroup address-pool vpnpool

vpngroup myVpnGroup dns-server 10.131.31.11

vpngroup myVpnGroup wins-server 10.131.31.11

vpngroup myVpnGroup default-domain example.com

vpngroup myVpnGroup split-tunnel 90

vpngroup myVpnGroup idle-time 1800

vpngroup myVpnGroup max-time 86400

vpngroup myVpnGroup password ********


Something like above is possible but not advisible at any situation.

Try out and let me know.

Cheers,
Rajesh

0
 

Author Comment

by:mlamartina
ID: 18055701
Well, we're still not sure how we're going to tackle this situation, but since you helped me Rajesh and your solution does indeed work, the points are yours.  Thank you for the help.  -Mike
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 18058505
No probs.

Cheers,
Rajesh
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question