Re: X-Auth on Per-Group Basis in PIX

mnlatif · ‎06-05-2003

Hi,

Is it possible disable X-Auth for a particular Group, when it has been enabled globaly using the command "crypto map vpnmap client authentication internal-radius" for all Other groups ?

I need to have an IOS Router connected to the PIX using EzVPN Client, however with X-Auth enabled (which is enabled to take care of other groups with Software VPN Clients), the user will have to enter the username\password at the Router Console, which is not desired.

Regards \\ Naman

sghosh · ‎06-05-2003

Hi Naman,

Let me see we can answer you second issue, that will take care of the first one.

You can create separate method for the console port so that you are not asked for the username/password in it, it will ask you only the vty /telnet password .

aaa authen login conmethod line

line con 0

login authentication conmethod

password

Thanks

Sujit

mhoda · ‎06-05-2003

Hi,

You need to configure exception for this. Here is the link that will help in configurin g this.

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a00800eb72d.html#29251

Thanks,

Mynul

mnlatif · ‎06-06-2003

Hi Mynul,

Well. This applies to the Site-Site VPN, which we have already configured this way. My question was for VPN Groups.

E.g. Lets say there are two VPN Groups with "Clients" and "EzVPN", X-Auth is enabled globally.

Now PC Clients using (Cisco VPN Software) connect to Group "Clients" and are propmpted for their Username\Password, which is fine.

However the Cisco IOS Routers connects to Group EzVPN, and has to go through X-Auth, which means that at the Cisco Router Console "a User" will have to type "crypto ipsec client ezvpn xauth" and then Enter Username\Passwd. This is What i Want to Avoid ?

If i can make an exception that though X-Auth is enabled globaly but Shouldn't be required for "EzVPN" group, Is it possible ?

Regards \\ Naman