Avatar of FunkyBrown
FunkyBrown
 asked on

Xauth Authentication

I currently have an easy-vpn setup which is supposed to be setup with Xauth authentication. I can authenticate through a telnet or console session, however I would really like for there to be an Xauth popup on a windows machine before logon to initialize the VPN. Is this possible? I can't seem to find any sort of documentation about the topic on the web. If anyone can help me with this it would be greatly appreciated.
RoutersVPNNetworkingNetwork SecurityHardware Firewalls

Avatar of undefined
Last Comment
FunkyBrown

8/22/2022 - Mon
Steve

installing the Cisco VPN client will give you the authorisation you require on windows, and create the tunnel etc at the same time. is that what you mean ?

http://www.cisco.com/en/US/products/sw/secursw/ps2308/

http://tools.cisco.com/support/downloads/pub/Redirect.x?mdfid=270636499

FunkyBrown

ASKER
Nope that is not what I mean. The tunnel is already created on the router. Thanks.
FunkyBrown

ASKER
Basically I have the http-intercept configured for the ezvpn setup. However, my vista machine does not get the pop up asking about the VPN when browsing the net. How can I trigger the browser window to come up?
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
Jody Lemoine

It definitely sounds like you're missing the Xauth portion of the VPN configuration.  Before we look into it further, I'll need to know what kind of device is controlling the VPN.  Are we talking about a router, a firewall or a VPN concentrator?
FunkyBrown

ASKER
The device that is controlling the remote VPN is an 800 series router. Its exact model is an 881w.

crypto ipsec client ezvpn Name
 connect auto
 ctcp
 group remote1 key sbc29access-
 mode client
 peer sbc01.sk.bluecross.ca
 virtual-interface 1
 xauth userid mode http-intercept

bmigette

Hi, If I understood, you want that your users are prompted to establish the easy vpn tunnel before they long into their computer ? If so, it won't work with http intercept, as this feature act like auth proxy, which means once the user will browse internet, then he will be redirected to a form to parse his credentials.
If you want your easy VPN tunnel established automatically, you may use xauth userid mode local, and allow the save password feature on the server side, so that your router will be able to bring the tunnel up regardless inside clients are using it or not.
If you want to authenticate users through the tunnel, you can add an auth proxy on the router (client or server).
BTW, I don't think connect auto is working with http-intercept, as the router will try to establish the tunnel, but it won't respond to Xauth as it's not obvious there's an user browsing the web at same time.

May you can take a look here:
http://www.cisco.com/en/US/docs/ios/12_3t/secur/command/reference/sec_t1gt.html#wp1185582
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
FunkyBrown

ASKER
Hi bmigette,

I have been trying to get the VPN to act like an auth proxy like you stated but it has not worked thus far. I was going to try to get an internet explorer window before logon which will browse to a site to prompt for the vpn credentials. Is this possible? Any reason why it may not want to redirect me to that form? Thank you for your time.
bmigette

Hi, I guess that without some windows hacks you won't be able to run internet explorer before login into the computer. You may establish VPN on demand while users are loggued. If you have a controller who need the VPN tunnel for the computer logon, then I suggest you use an ACL allowing only AD, and have an authentication proxy over the VPN which would dynamically modify the ACL once users are loggued and open their web browser.
FunkyBrown

ASKER
Yea I am definitely starting to lean towards the router automatically connecting. The only issue I have with that is if it gets stolen, they have immediate access to our network. I guess if its a theft the ISP that hands the router an IP address would be more than willing to turn over the location of that person to the authorities. Any other security risks for that?
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
ASKER CERTIFIED SOLUTION
bmigette

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
FunkyBrown

ASKER
Thank you for all your time in solving this problem. Have a great day.