Re: PIX v6.3 Local Authentication for VPN Client 3.x

nohare · ‎07-22-2004

I have PIX 515 v6.3 configured to allow VPN Clients to connect using the Unified VPN Client 3.x

.

The VPN clients have been successfully establishing VPN Connection to the PIX for a while but beyond VPN Group Name and Password, the client isn't asked for any XAuth or additional username/password credentials.

.

According to the PIX Datasheet and various other forums, it suggests that that LOCAL User database can be used to authenticate VPN Clients. Under the "Advanced Options" within the "Cisco VPN Client Settings" window, I check the IUA checkbox, fill out the "User Timeout" and select "LOCAL" as the "Authentication Server Group". When I click "OK" to submit my changes, a box appears saying the following :

.

"The LOCAL group is not supported for remote user authenticationof an easy VPN Remote Client. Please select another Authentication Server Group"

.

Can anyone help me understand why this is? Also, other than using an external RADIUS/TACACS server, can I still achieve VPN Client authentication using the LOCAL database ?

Nathan

aacole · ‎07-22-2004

Nathan,

I looked at this recently, there is no support for Xauth using the local database on the PIX. You can do this with an IOS router though.

With PIX you need to use an external RADIUS server, I've used the IAS supplied with Win2K server for this its straight forward to set up. Its at this URL

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml

Andy

jamesellis · ‎08-11-2004

EZVPN is geared more for hardware to hardware vpn from what i have read.

If I understand the problem correctly, you want remote users using cisco vpn client to login into a local database on the PIX.

Here is a link to the document I used for basic config:

http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_configuration_example09186a0080093f89.shtml

ignore the pptp and mppe items

add this line to the config:

crypto map (the crypto map name )client authentication LOCAL

make sure and create some users using the username command

in the pdm you can set this as follows:

config - vpn - ike - xauth/mode config

Interface = outside

modeconfig = initiate + respond

xauth server = LOCAL

server token = no

here is a quick example for command line config

one time config lines-------------------------

sysopt connection permit-ipsec

isakmp enable outside

general tunnel policies-------------------------------------------

crypto ipsec transform-set vpn-set esp-3des esp-md5-hmac

crypto dynamic-map dynmap 20 set transform-set vpn-set

crypto map vpn-map 20 ipsec-isakmp dynamic dynmap

crypto map vpn-map client configuration address initiate

crypto map vpn-map client configuration address respond

crypto map vpn-map interface outside

crypto map vpn-map client authentication LOCAL

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

Group Policies-----------------------------------

ip local pool vpnpool 10.1.1.1-10.1.1.10

vpngroup vpn address-pool vpnpool

vpngroup vpn dns-server 192.168.1.12 192.168.1.13

vpngroup vpn wins-server 192.168.1.3 192.168.1.4

vpngroup vpn default-domain yourdomain.com

vpngroup vpn idle-time 1800

vpngroup vpn password cisco123

The xauth and ezvpn confused me as well, but for client vpn and local db authentication, the big catch is setting the crypto map option.

crypto map vpn-map client authentication LOCAL