09-23-2004 04:36 AM - edited 02-21-2020 10:11 AM
I'm running 6.3(3) on PIX520; I need to locally (not TACACS+ or RADIUS) authencicate software VPN clients (4.0.3F) inbound thru PIX. Is this possible?
09-23-2004 04:54 AM
Looks like 6.3(1) added the functionality for local authentication of VPN users.
Here's a blurb from the release notes:
"Local User Authentication Database for Network and VPN Access
This feature allows cut-through and VPN (using xauth) traffic to be authenticated using the PIX Firewall local username database (as an alternative in addition to the existing authenticating via an external AAA server).
The server tag variable now accepts the value LOCAL to support cut-through proxy authentication using Local Database. For example:
aaa authentication include http inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 LOCAL
crypto map outside_map client authentication LOCAL
For more information on this feature, refer to "User Authentication Using the LOCAL Database" in the Cisco PIX Firewall and VPN Configuration Guide.For a complete description of the command syntax for this new command, refer to the Cisco PIX Firewall Command Reference."
Please let us know if you have tried this or if you have any other questions we can help you with.
thanks
peter
09-23-2004 11:21 AM
I've done this with 6.3(3) code without a problem. Just add the following commands to the basic VPN client configuration displayed on CCO:
aaa-server LOCAL protocol local
username (username) password (password)
crypto map (name) client authentication LOCAL
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide