topic Re: Disable pre shared key attribute for Remote Access w/ ASA in Network Security

Disable pre shared key attribute for Remote Access w/ ASA

mark.white — Fri, 21 Feb 2020 09:49:02 GMT

We just started configuring ASAs for VPN access after years of using the PIX. One of the biggest changes that I have noticed for the Remote Client Access is the use of a pre-shared key. Is there a way to disable the pre-shared-key attribute under the tunnel-group <groupname> ipsec-attributes and just require clients to authenticate with the username/password combination like in the 6.3(5) code? If so, how? Any advice would be truly helpful.

Thax in advance!

Re: Disable pre shared key attribute for Remote Access w/ ASA

srue — Sun, 02 Dec 2007 14:26:56 GMT

that pre-shared key is just the group password.

are you wanting to not use group names/passwords?

or are you *just* wanting to use group names/passwords?

to disable xauth:

tunnel-group grp_name ipsec-attributes

pre-shared-key *

isakmp ikev1-user-authentication none

Re: Disable pre shared key attribute for Remote Access w/ ASA

mark.white — Mon, 03 Dec 2007 07:02:25 GMT

What I want to do is not use the group names password. I just want to be able to have clients use their username and a password that is unique to each username (so, no pre-shared key at all).

For example here is a config from the 6.3(5) code:

crypto ipsec transform-set strongset esp-aes esp-sha-hmac

crypto dynamic-map stuff 10 set transform-set strongset

crypto map mymap 10 ipsec-isakmp dynamic stuff

isakmp identity address

isakmp nat-traversal

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp log 300

vpngroup username address-pool ippool

vpngroup username idle-time 1800

vpngroup username split-tunnel 103

vpngroup username password blah

crypto map mymap interface outside

isakmp enable outside

wr me

No pre-shared key was needed. How do I migrate this code over to the ASA?

Thax!

Re: Disable pre shared key attribute for Remote Access w/ ASA

srue — Tue, 04 Dec 2007 01:26:57 GMT

The preshared key was the password defined here:

vpngroup username password blah

that served the same purpose as the tunnel-group preshared key. They are functionally equivalent.

in 7.x and later, the tunnel-group name takes the place of the vpngroup name , and the preshared key attribute takes the place of the vpngroup password..