https://community.cisco.com/t5/network-access-control/pix-vpn-authentication/m-p/135303#M3286 <HTML><HEAD></HEAD><BODY><P>Introduced in 6.3, you would do:</P><P><B></B></P><P>crypto map <MAPNAME> client authentication LOCAL</MAPNAME></P><P>username <NAME> password <PASSWORD></PASSWORD></NAME></P><P></P><P>You can have as many username/password entries as you like.</P><P></P></BODY></HTML> Fri, 12 Sep 2003 05:04:21 GMT gfullage 2003-09-12T05:04:21Z https://community.cisco.com/t5/network-access-control/pix-vpn-authentication/m-p/135300#M3271 <P>Can someone tell me all the options for authenticating VPN users on the PIX (515e v6.31)? I dont see any way to do local user authentication based on the VPN client.</P><P></P><P>I know of the following options:</P><P>AAA using Tacacs</P><P>AAA using Radius</P><P>VPN Group with local password</P><P></P><P>Thanks,</P><P>Greg</P><P></P> Fri, 21 Feb 2020 18:08:20 GMT https://community.cisco.com/t5/network-access-control/pix-vpn-authentication/m-p/135300#M3271 gparrish 2020-02-21T18:08:20Z https://community.cisco.com/t5/network-access-control/pix-vpn-authentication/m-p/135301#M3278 <HTML><HEAD></HEAD><BODY><P>What do you mean by "local user authentication based on the vpn client"? If you mean each user has a unique username and password, that was introduced in pix os 6.2 (maybe 6.3).</P></BODY></HTML> Fri, 12 Sep 2003 00:50:53 GMT https://community.cisco.com/t5/network-access-control/pix-vpn-authentication/m-p/135301#M3278 mostiguy 2003-09-12T00:50:53Z https://community.cisco.com/t5/network-access-control/pix-vpn-authentication/m-p/135302#M3283 <HTML><HEAD></HEAD><BODY><P>Yes I mean that. In the normal Cisco IOS context you normally have like tacacs and local authentication choices so thanks for that bit of information! I will look into how to configure that. Just trying to figure out all the options so we can select one to use.</P><P></P><P>Thanks,</P><P>Greg</P><P></P></BODY></HTML> Fri, 12 Sep 2003 01:06:08 GMT https://community.cisco.com/t5/network-access-control/pix-vpn-authentication/m-p/135302#M3283 gparrish 2003-09-12T01:06:08Z https://community.cisco.com/t5/network-access-control/pix-vpn-authentication/m-p/135303#M3286 <HTML><HEAD></HEAD><BODY><P>Introduced in 6.3, you would do:</P><P><B></B></P><P>crypto map <MAPNAME> client authentication LOCAL</MAPNAME></P><P>username <NAME> password <PASSWORD></PASSWORD></NAME></P><P></P><P>You can have as many username/password entries as you like.</P><P></P></BODY></HTML> Fri, 12 Sep 2003 05:04:21 GMT https://community.cisco.com/t5/network-access-control/pix-vpn-authentication/m-p/135303#M3286 gfullage 2003-09-12T05:04:21Z https://community.cisco.com/t5/network-access-control/pix-vpn-authentication/m-p/135304#M3295 <HTML><HEAD></HEAD><BODY><P>Any idea how to configure the VPN Client with the username and password for authentication since it only accepts the Group and CA Certificate options?</P><P></P><P>Thanks,</P><P>Greg</P><P></P></BODY></HTML> Fri, 12 Sep 2003 12:34:54 GMT https://community.cisco.com/t5/network-access-control/pix-vpn-authentication/m-p/135304#M3295 gparrish 2003-09-12T12:34:54Z https://community.cisco.com/t5/network-access-control/pix-vpn-authentication/m-p/135305#M3296 <HTML><HEAD></HEAD><BODY><P>Hi Greg,</P><P>You do not need to configure username and password within the client. Once the client tries to connect the user will be prompted to enter username and password. Only put in groupname and grouppassword and you'll be fine.</P><P></P><P>Kind regards,</P><P>Leo</P></BODY></HTML> Fri, 12 Sep 2003 13:22:41 GMT https://community.cisco.com/t5/network-access-control/pix-vpn-authentication/m-p/135305#M3296 l.mourits 2003-09-12T13:22:41Z https://community.cisco.com/t5/network-access-control/pix-vpn-authentication/m-p/135306#M3297 <HTML><HEAD></HEAD><BODY><P>Okay so this provides even more authentication? You have to use the VPN Group and then you could also authenticate each user in addition to that?</P><P></P><P>Sounds like you have to use the VPN Group or a certificate at all times?</P><P></P><P>Thanks,</P><P>Greg</P><P></P></BODY></HTML> Fri, 12 Sep 2003 21:34:08 GMT https://community.cisco.com/t5/network-access-control/pix-vpn-authentication/m-p/135306#M3297 gparrish 2003-09-12T21:34:08Z https://community.cisco.com/t5/network-access-control/pix-vpn-authentication/m-p/135307#M3298 <HTML><HEAD></HEAD><BODY><P>Correct, user authentication is a 2nd level of authentication. You don't actually have to do it (just don't add in the two commands I mentioned previously), and then the client will get in simply with having the correct group name/password or certificate.</P><P></P><P>I would always use user authentication though, considering the group name/password or cert is stored on the PC all the time. If that PC gets stolen and you have no user authentication set up, the thief has open access into your network. The group name/password or cert authenticate the PC that is connecting, whereas the extra user authentication authenticates the person sitting at that PC.</P></BODY></HTML> Sat, 13 Sep 2003 00:07:37 GMT https://community.cisco.com/t5/network-access-control/pix-vpn-authentication/m-p/135307#M3298 gfullage 2003-09-13T00:07:37Z