Link to home
Create AccountLog in
Avatar of FunkyBrown

asked on

Xauth Authentication

I currently have an easy-vpn setup which is supposed to be setup with Xauth authentication. I can authenticate through a telnet or console session, however I would really like for there to be an Xauth popup on a windows machine before logon to initialize the VPN. Is this possible? I can't seem to find any sort of documentation about the topic on the web. If anyone can help me with this it would be greatly appreciated.
Avatar of Steve
Flag of Australia image

installing the Cisco VPN client will give you the authorisation you require on windows, and create the tunnel etc at the same time. is that what you mean ?

Avatar of FunkyBrown


Nope that is not what I mean. The tunnel is already created on the router. Thanks.
Basically I have the http-intercept configured for the ezvpn setup. However, my vista machine does not get the pop up asking about the VPN when browsing the net. How can I trigger the browser window to come up?
Avatar of Jody Lemoine
It definitely sounds like you're missing the Xauth portion of the VPN configuration.  Before we look into it further, I'll need to know what kind of device is controlling the VPN.  Are we talking about a router, a firewall or a VPN concentrator?
The device that is controlling the remote VPN is an 800 series router. Its exact model is an 881w.

crypto ipsec client ezvpn Name
 connect auto
 group remote1 key sbc29access-
 mode client
 virtual-interface 1
 xauth userid mode http-intercept

Hi, If I understood, you want that your users are prompted to establish the easy vpn tunnel before they long into their computer ? If so, it won't work with http intercept, as this feature act like auth proxy, which means once the user will browse internet, then he will be redirected to a form to parse his credentials.
If you want your easy VPN tunnel established automatically, you may use xauth userid mode local, and allow the save password feature on the server side, so that your router will be able to bring the tunnel up regardless inside clients are using it or not.
If you want to authenticate users through the tunnel, you can add an auth proxy on the router (client or server).
BTW, I don't think connect auto is working with http-intercept, as the router will try to establish the tunnel, but it won't respond to Xauth as it's not obvious there's an user browsing the web at same time.

May you can take a look here:
Hi bmigette,

I have been trying to get the VPN to act like an auth proxy like you stated but it has not worked thus far. I was going to try to get an internet explorer window before logon which will browse to a site to prompt for the vpn credentials. Is this possible? Any reason why it may not want to redirect me to that form? Thank you for your time.
Hi, I guess that without some windows hacks you won't be able to run internet explorer before login into the computer. You may establish VPN on demand while users are loggued. If you have a controller who need the VPN tunnel for the computer logon, then I suggest you use an ACL allowing only AD, and have an authentication proxy over the VPN which would dynamically modify the ACL once users are loggued and open their web browser.
Yea I am definitely starting to lean towards the router automatically connecting. The only issue I have with that is if it gets stolen, they have immediate access to our network. I guess if its a theft the ISP that hands the router an IP address would be more than willing to turn over the location of that person to the authorities. Any other security risks for that?
Avatar of bmigette

Link to home
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Thank you for all your time in solving this problem. Have a great day.