Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
421
Views
0
Helpful
4
Replies

Is AAA mandatory for remote acces VPN client

bapatsubodh
Level 1
Level 1

‎11-07-2005 10:01 AM

Is it possible to configure remote access VPN client version 4.6.*** for windows without having any AAA server available on inside network. In this case how authentication can be done ?

Labels:
0 Helpful
4 Replies 4

aacole
Level 5
Level 5

‎11-07-2005 11:22 AM

Yes this is possible, but not advisable. As the group settings are pre-configured and VPN clients are normally roaming users the theft or loss of a laptop could compromise network security.

When the Client connects the configured group name and pre-shared key (Client password) need to match those configured on the server.

Optionally then a second authentication prompt is offered where the user enters a username and password matching one configured in a local database.

The actual method would depend on the VPN server, if its a router or VPN concentrator then you can use a local database for the second authentication step, although this can be turned off if the additional security is not required.

If its a PIX (6.x) no local database is provided you either do without or use an external server. PIX version 7 does have a local database, but I've not used that version myself yet.

What VPN device do you intend to use?

0 Helpful

maraz
Level 1
Level 1
In response to aacole

‎11-08-2005 05:32 AM

Actually, the PIX with 6.3 have the ability with LOCAL database configuration for VPN-users.

Best Regards

Robert Maras

0 Helpful

bapatsubodh
Level 1
Level 1
In response to maraz

‎11-08-2005 09:10 AM

Thanx.

If Pix 6.3 , has ability to to use Local database to authenticate users coming over a VPN connection from outside world. Can I use it like AAA server. with no considerable CPU over head ?

Any configuration example available on cisco website where this command is used for remote VPN client user authorisation ?

0 Helpful

jackko
Level 7
Level 7
In response to bapatsubodh

‎11-09-2005 05:17 PM

pix only offers local authentication, and the load on cpu is not that much.

e.g.

access-list 101 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list 120 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

nat (inside) 0 access-list 101

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp identity address

isakmp nat-traversal 20

crypto ipsec transform-set vpnset esp-3des esp-md5-hmac

ip local pool ippool 10.1.1.11-10.1.1.21

vpngroup vpnclient address-pool ippool

vpngroup vpnclient idle-time 1800

vpngroup vpnclient dns-server 139.130.4.4

vpngroup vpnclient password cisco456

vpngroup vpnclient split-tunnel 120

crypto dynamic-map dynmap 10 set transform-set vpnset

crypto map remote_vpn 20 ipsec-isakmp dynamic dynmap

username cisco password cisco123

aaa-server LOCAL protocol local

crypto map remote_vpn client authentication LOCAL

crypto map remote_vpn client configuration address initiate

crypto map remote_vpn client configuration address respond

with the sample above, the command "crypto map remote_vpn client authentication LOCAL" enables the local authentication; whereas the command "username cisco password cisco123" is used to create the local database.

0 Helpful
Customers Also Viewed These Support Documents