05-12-2009 08:24 AM - edited 03-11-2019 08:31 AM
Hi All,
In middle of configuring a Pix 501 for VPN. I have running a few VPN's Site to Site and can terminate a Client to Site VPN with no issue. I am having problems getting the Client to Site to initiate a User Username and Password Challenge when VPNing in, I get a connection using the VPN credentials set in the Secure Client but no further user challenge.
Can someone advise of suitable config to change this?
Thanks
Adrian
05-18-2009 05:23 AM
Use the crypto map client authentication command to tell the PIX Firewall to use the Xauth (RADIUS/TACACS+ user name and password) challenge during Phase 1 of Internet Key Exchange (IKE) in order to authenticate IKE. If the Xauth fails, the IKE security association is not established. Specify the same AAA server name within the crypto map client authentication command statement that is specified in the aaa-server command statement. The remote user must run Cisco VPN Client version 3.x. or later.
Note: Cisco recommends you use Cisco VPN Client 3.5.x or later. VPN Client 1.1 does not work with this configuration. Cisco VPN Client 3.6 and later does not support the transform set of des/sha.
If you need to restore the configuration without Xauth, use the no crypto map client authentication command. The Xauth feature is not enabled by default.
Note: In PIX Firewall Version 5.3 and later, configurable RADIUS ports were introduced. Some RADIUS servers use RADIUS ports other than 1645/1646 (usually 1812/1813). In PIX 5.3 and later, the RADIUS authentication and accounting ports can be changed to ones other than the default 1645/1646 using these commands:
aaa-server radius-authport #
aaa-server radius-acctport #
05-18-2009 12:02 PM
Thanks. In testing just now I found that since I have LOCAL authentication for SSH and telnet access to the firewall, the following command was successful:
crypto map outside_map client authentication LOCAL
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide