Solved

Modify Pix VPN for windows domain authentication.

Posted on 2007-04-07
7
301 Views
Last Modified: 2010-04-09
I've got a number of people that VPN into our PIX firewall to get to our local network.  Below is a sample of my VPN setup.  Right now you can see that everyone connects to the VPN using the same username and password.  I need to change this config so that the users must have a valid username and password on our windows domain controller (10.50.100.200) in order to create the VPN tunnel.  Can you tell me how to modify my config?  Is it possible to use windows domain authentication before creating the tunnel?


sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup brasslanvpn address-pool vpnpool
vpngroup brasslanvpn dns-server 10.50.100.200
vpngroup brasslanvpn default-domain domain.com
vpngroup brasslanvpn split-tunnel allow-internet
vpngroup brasslanvpn idle-time 1800
vpngroup brasslanvpn password ******
0
Comment
Question by:brasslan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 28

Accepted Solution

by:
batry_boy earned 400 total points
ID: 18870040
PIX 6.x code will not natively support NT domain authentication for your VPN users, but the new 7.x code will.  What version are you running on your PIX?

Version 6.x only supports TACACS+ and RADIUS for authentication protocols.  If you're running 6.x, then see the following example for setting up IAS to use as a RADIUS server which will give you what you're looking for:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml
0
 
LVL 6

Author Comment

by:brasslan
ID: 18870242
Unfortunately it is the PIX 6.x code, and the budget wont allow for a pix upgrade, or a RADIUS server purchase.  

I think I can also setup a list of user names and passwords inside of the pix, can't I?  Then if I want to remove vpn access, I can remove their username from the config.  Probably not as nice as a Radius setup but still doable on my scale.  Right now we will only have 3 to 5 people with VPN access.

Do you know the code for that?
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 18870721
Assuming you already have the crypto and isakmp stuff set up in the configuration, here are the commands for local VPN user authentication:

---------------
aaa-server LOCAL protocol local
ip local pool ippool 10.1.1.1-10.1.1.100
vpngroup vpnusers address-pool ippool
vpngroup vpnusers dns-server 192.168.1.200
vpngroup vpnusers wins-server 192.168.1.201
vpngroup vpnusers default-domain yourdomain.com
vpngroup vpnusers split-tunnel splitTunnelAcl
vpngroup vpnusers idle-time 86400
vpngroup vpnusers password <group_password>
username johndoe password <whatever> privilege 2
access-list splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any
--------------

The two lines with the references to split tunneling are optional if you want your users to be cut off from the Internet when they are in a VPN session.  However, because the 6.x code doesn't support "hairpinning", you will need to implement split tunneling if you want your VPN users to get to the Internet while in a tunnel.  In the split tunnel ACL, you specify the network(s) behind as the source of the ACL when you want those networks to be encrypted and sent down the tunnel.  Always seemed backwards to me, but that's the way it is...

You can add as many usernames as you like (privilege level 2 is a default).  You can just put in:

username johndoe password mypassword

The VPN users will be assigned an IP address from "ippool" and be assigned the specified dns and wins server entries.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 6

Author Comment

by:brasslan
ID: 18872528
You can see my crypto and ISAKMP setup in the original question.  The only thing that I didn't have that you mentioned was a username and password listed in the pix.  I added this and it still let me create the tunnel without knowing the username and password.  With further research on the net I found that I also needed to add this line.

crypto map mymap client authentication LOCAL

The only question that I have left is for lrmoore, I got an e-mail saying that you posted to this question about 45 min after batry_boy's last post, but I don't see anything here.  Did you post something?  Did it disappear?  
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 100 total points
ID: 18872619
I posted the same link that batry_boy posted for an example to use Windows IAS. I didn't realize that he had already provided that link and I didn't want to confuse matters so I had my comment deleted.
If you follow the directions in the link it will be as good a solution as you can get and users can use their regular domain username/passwords and you don't have to maintain duplicate usernames on the pix itself
0
 
LVL 6

Author Comment

by:brasslan
ID: 19027321
I won't have time to set this up for a couple of weeks, but with the link that batry provided I shouldn't have a problem.

To tell you the truth, I didn't read that link until lrmoore posted and deleted and reposted his comment :-).  I didn't click the link because the RADIUS software that I've used in the past had to be purchased and the tech budget is too tight for more software.  But after lrmoore's posting the exact same link (almost) I figured it would be worth a read.  I'm glad I did, now I know that I don't have to purchase anything else.

100 pts for lrmoore for telling me that batry was right. (sorry batry) :-) hehe
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 19027974
You are too kind, sir, but have learned a valuable lesson - follow the links...you never know what's on the other side!

0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question