12-22-2012 06:28 PM - edited 02-21-2020 06:34 PM
We currently have a client that uses the IPSec VPN Client to remote in to their PIX 501. When they connect, it secures communication and immediately connects/minimizes and the tunnel-group name/password is sufficient so no prompt for a username/password from a local/radius database.
When setting this up on a newly purchased ASA, a username/password is prompted every time they try to connect. Is there a way to eliminate this feature or a command in the tunnel-group or group policy so that a username/password is not required after the connection profile establishes the VPN? It is ASA 8.4.
Thank you
12-22-2012 11:50 PM
Hi,
You can easily change the "store password setting" by editing Group Policy > Advanced > IPsec Client in ASDM.
More information below..
Configuring Advanced IPsec Client Parameters
Fields
The Add or Edit Group Policy > Advanced > IPsec Client dialog box lets you specify tunneling protocols, filters, connection settings, and servers for the group policy being added or modified.
• Re-Authentication on IKE Re-key—Enables or disables reauthentication when IKE re-key occurs, unless the Inherit check box is selected. The user has 30 seconds to enter credentials, and up to three attempts before the SA expires at approximately two minutes and the tunnel terminates.
• Enable extended reauth-on-rekey to allow entry of authentication credentials until SA expiry—Allow users the time to reenter authentication credentials until the maximum lifetime of the configured SA.
• IP Compression—Enables or disables IP Compression, unless the Inherit check box is selected.
• Perfect Forward Secrecy—Enables or disables perfect forward secrecy (PFS), unless the Inherit check box is selected. PFS ensures that the key for a given IPsec SA was not derived from any other secret (like some other keys). In other words, if someone were to break a key, PFS ensures that the attacker would not be able to derive any other key. If PFS were not enabled, someone could hypothetically break the IKE SA secret key, copy all the IPsec protected data, and then use knowledge of the IKE SA secret to compromise the IPsec SAs set up by this IKE SA. With PFS, breaking IKE would not give an attacker immediate access to IPsec. The attacker would have to break each IPsec SA individually.
• Store Password on Client System—Enables or disables storing the password on the client system.
Caution Storing the password on a client system can constitute a potential security risk.
Please mark answered for helpful posts
12-24-2012 03:34 AM
You should also consider a second option that is more secure then to allow the local storage of the password: Use certificates to authenticate the client. You will have more work to set that up, but it will be more secure if done correctly.
Sent from Cisco Technical Support iPad App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide