?
Solved

Need Login Prompt on a Cisco Pix after Group Authenication VPN Connection

Posted on 2007-07-24
2
Medium Priority
?
296 Views
Last Modified: 2010-04-17
I have a Cisco Pix that I am attempting to setup a VPN on.  

At this point I can get a client pc configured to connect to the pix using MYVPN as the group authenication name along with the password.   What I want is to make "fred" log in using his name and password.  ( I need several users to access the pix using thier own ID's )

What do I need to add to get the additonal authenication prompt before a client gains access to the network??

Below is my current config.   Thanks in advance for the help.

BB

************************************************************************

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxx encrypted
hostname pixfirewall
domain-name mydomain.local
clock timezone CST -6
clock summer-time CDT recurring
no fixup protocol dns
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.12.12 Server1
access-list inside_outbound_nat0_acl permit ip any 10.10.12.0 255.255.255.128
access-list outside_cryptomap_dyn_20 permit ip any 10.10.12.0 255.255.255.128
access-list outside_access_in permit tcp any interface outside eq smtp
access-list outside_access_in permit tcp any interface outside eq pop3
access-list outside_access_in permit tcp any interface outside eq www
access-list outside_access_in permit tcp any interface outside eq https
access-list outside_access_in permit tcp any interface outside eq 3389
access-list outside_access_in permit tcp any interface outside eq 225
access-list outside_access_in permit tcp any interface outside eq ftp
access-list outside_access_in permit tcp any interface outside eq ftp-data
pager lines 24
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.12.1 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnclient 10.10.12.1-10.10.12.100
pdm location 192.168.12.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface smtp Server1 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 Server1 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 192.168.12.50 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 225 Server1 225 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www Server1 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https Server1 https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp Server1 ftp netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.12.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup MYVPN address-pool vpnclient
vpngroup MYVPN dns-server Server1
vpngroup MYVPN wins-server Server1
vpngroup MYVPN idle-time 1800
vpngroup MYVPN password ********
telnet 192.168.12.0 255.255.255.0 inside
telnet timeout 50
ssh timeout 5
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname hello1@sbcglobal.net
vpdn group pppoe_group ppp authentication pap
vpdn username hello1@sbcglobal.net password ********* store-local
dhcpd address 192.168.12.200-192.168.12.229 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username fred password xxxxxxxxxx encrypted privilege 2
terminal width 80
: end
0
Comment
Question by:Bob
2 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 19555008
crypto map outside_map client authentication LOCAL
username fred password fredspass
username joe password joespass
username barny password barnyspass

0
 

Author Comment

by:Bob
ID: 19555164
Thank ye kindly.   I tried to enter that last night for over an hour.  
(Must have gotten the syntax wrong.)

Bob
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question