How to authenticate VPN clients locally on PIX

Phil Williamson · ‎09-23-2004

I'm running 6.3(3) on PIX520; I need to locally (not TACACS+ or RADIUS) authencicate software VPN clients (4.0.3F) inbound thru PIX. Is this possible?

pcomeaux · ‎09-23-2004

Looks like 6.3(1) added the functionality for local authentication of VPN users.

Here's a blurb from the release notes:

"Local User Authentication Database for Network and VPN Access

This feature allows cut-through and VPN (using xauth) traffic to be authenticated using the PIX Firewall local username database (as an alternative in addition to the existing authenticating via an external AAA server).

The server tag variable now accepts the value LOCAL to support cut-through proxy authentication using Local Database. For example:

aaa authentication include http inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 LOCAL

crypto map outside_map client authentication LOCAL

For more information on this feature, refer to "User Authentication Using the LOCAL Database" in the Cisco PIX Firewall and VPN Configuration Guide.For a complete description of the command syntax for this new command, refer to the Cisco PIX Firewall Command Reference."

Please let us know if you have tried this or if you have any other questions we can help you with.

thanks

peter

scook · ‎09-23-2004

I've done this with 6.3(3) code without a problem. Just add the following commands to the basic VPN client configuration displayed on CCO:

aaa-server LOCAL protocol local

username (username) password (password)

crypto map (name) client authentication LOCAL