Buy or Renew
Buy or Renew
NOTICE: The community will be in READ-ONLY Sept. 6 – 9 to add Umbrella release notes and announcements. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4345
Views
0
Helpful
2
Replies

IPSec Client VPN setup without the prompt for username/password.

Mike Bowers
Level 1
Level 1

‎12-22-2012 06:28 PM - edited ‎02-21-2020 06:34 PM

We currently have a client that uses the IPSec VPN Client to remote in to their PIX 501.  When they connect, it secures communication and immediately connects/minimizes and the tunnel-group name/password is sufficient so no prompt for a username/password from a local/radius database.

When setting this up on a newly purchased ASA, a username/password is prompted every time they try to connect. Is there a way to eliminate this feature or a command in the tunnel-group or group policy so that a username/password is not required after the connection profile establishes the VPN? It is ASA 8.4.

Thank you

Labels:
0 Helpful
2 Replies 2

Daniel Leonard
Level 1
Level 1

‎12-22-2012 11:50 PM

Hi,

You can easily change the "store password setting" by editing  Group Policy > Advanced > IPsec Client in ASDM.

More information below..

Configuring Advanced IPsec Client Parameters
Fields
The Add or Edit Group Policy > Advanced > IPsec Client dialog box lets you specify tunneling protocols, filters, connection settings, and servers for the group policy being added or modified.

• Re-Authentication on IKE Re-key—Enables or disables reauthentication when IKE re-key occurs, unless the Inherit check box is selected. The user has 30 seconds to enter credentials, and up to three attempts before the SA expires at approximately two minutes and the tunnel terminates.
• Enable extended reauth-on-rekey to allow entry of authentication credentials until SA expiry—Allow users the time to reenter authentication credentials until the maximum lifetime of the configured SA.
• IP Compression—Enables or disables IP Compression, unless the Inherit check box is selected.
• Perfect Forward Secrecy—Enables or disables perfect forward secrecy (PFS), unless the Inherit check box is selected. PFS ensures that the key for a given IPsec SA was not derived from any other secret (like some other keys). In other words, if someone were to break a key, PFS ensures that the attacker would not be able to derive any other key. If PFS were not enabled, someone could hypothetically break the IKE SA secret key, copy all the IPsec protected data, and then use knowledge of the IKE SA secret to compromise the IPsec SAs set up by this IKE SA. With PFS, breaking IKE would not give an attacker immediate access to IPsec. The attacker would have to break each IPsec SA individually.
• Store Password on Client System—Enables or disables storing the password on the client system.


Caution Storing the password on a client system can constitute a potential security risk.

Please mark answered for helpful posts

Please rate or mark answered for helpful posts.
0 Helpful

Karsten Iwen
VIP
VIP

‎12-24-2012 03:34 AM

You should also consider a second option that is more secure then to allow the local storage of the password: Use certificates to authenticate the client. You will have more work to set that up, but it will be more secure if done correctly.


Sent from Cisco Technical Support iPad App

0 Helpful
Customers Also Viewed These Support Documents