Solved: Change VPN Client Group Authentication Password

tsabsuavyaj · ‎12-18-2012

I have an ASA device that is setup for remote vpn and use a Radius server to authenticate vpn users' credentials. If I want to change the Password on the VPN client under Group Authentication, where and how do I go about doing so? Also, do I need to change this password on the Radius server?

See screenshot attached.

Eugene Korneychuk · ‎12-19-2012

Hello,

If you have only user authentication configured on Radius, then password under tunnel group is that what you are looking for. This password, which you are configuring under IPSec Client Group Authentication Server is password which is confiured under tunnel group.

Please rate helpful posts

Best Regards,

Eugene

View solution in original post

Randy Ray · ‎12-18-2012

This password is used for "Group Authentication", this happens before the individual authentication. User Authentication happens on the radius server. So, unfortunately the "Group Authentication" password has to match on both sides. There are lots of ways of working around this. You could simply distribute a new .pcf file out to all your users with the new settings which would include the new "Group Authentication" password.

tsabsuavyaj · ‎12-18-2012

You are correct, this group authentication does happen before the user authentication. So if I want to change this group password, can I make this change on the ASA? Secondly is this group password the same as the Pre-Shared Key for the group name policy or is it something else?

Eugene Korneychuk · ‎12-19-2012

Hello,

If you have only user authentication configured on Radius, then password under tunnel group is that what you are looking for. This password, which you are configuring under IPSec Client Group Authentication Server is password which is confiured under tunnel group.

Please rate helpful posts

Best Regards,

Eugene

tsabsuavyaj · ‎12-19-2012

Eugene you are correct. Also, here is what I found from a text book that explains in great details and gives example of the configuration.

Example:

Router (config)# tunnel-group ciscovpn ipsec-attributes

Router (config-ipsec)# pre-shared-key cisco123

In the above example, all Cisco VPN clients configured for the ciscovpn group must use cisco123 as the preshared key. If there is a mismatch on the key, the security appliance denies group authentication for the client.

Note. Preshared key is also known as group password in the Cisco remote-access VPN.

This clarified my confusion. Also, in my VPN environment where a Radius server is setup for users authentication, this also means I must change the Pre-Shared-Key on the Radius server.

Hope this helps those who are looking for the same answer.

Jatin Katyal · ‎07-13-2013

Hi tsabsuavyai,

Pre-shared-key or group password can only be used in VPN group authentication.

This is not same as what you actually define on the radius server for ASA and Radius communication.

Router (config)# tunnel-group ciscovpn ipsec-attributes

Router (config-ipsec)# pre-shared-key cisco123

and

ciscoasa(config)#aaa-server RADIUS_SRV_GRP (inside) host x.x.x.x Radius123

The above 2 keys serves differenrt purposes.

The Radius123 is a shared secret key that can only be used for ASA and Radius server comuunication and it should be same.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin