11-07-2005 10:01 AM
Is it possible to configure remote access VPN client version 4.6.*** for windows without having any AAA server available on inside network. In this case how authentication can be done ?
11-07-2005 11:22 AM
Yes this is possible, but not advisable. As the group settings are pre-configured and VPN clients are normally roaming users the theft or loss of a laptop could compromise network security.
When the Client connects the configured group name and pre-shared key (Client password) need to match those configured on the server.
Optionally then a second authentication prompt is offered where the user enters a username and password matching one configured in a local database.
The actual method would depend on the VPN server, if its a router or VPN concentrator then you can use a local database for the second authentication step, although this can be turned off if the additional security is not required.
If its a PIX (6.x) no local database is provided you either do without or use an external server. PIX version 7 does have a local database, but I've not used that version myself yet.
What VPN device do you intend to use?
11-08-2005 05:32 AM
Actually, the PIX with 6.3 have the ability with LOCAL database configuration for VPN-users.
Best Regards
Robert Maras
11-08-2005 09:10 AM
Thanx.
If Pix 6.3 , has ability to to use Local database to authenticate users coming over a VPN connection from outside world. Can I use it like AAA server. with no considerable CPU over head ?
Any configuration example available on cisco website where this command is used for remote VPN client user authorisation ?
11-09-2005 05:17 PM
pix only offers local authentication, and the load on cpu is not that much.
e.g.
access-list 101 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 120 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
nat (inside) 0 access-list 101
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp identity address
isakmp nat-traversal 20
crypto ipsec transform-set vpnset esp-3des esp-md5-hmac
ip local pool ippool 10.1.1.11-10.1.1.21
vpngroup vpnclient address-pool ippool
vpngroup vpnclient idle-time 1800
vpngroup vpnclient dns-server 139.130.4.4
vpngroup vpnclient password cisco456
vpngroup vpnclient split-tunnel 120
crypto dynamic-map dynmap 10 set transform-set vpnset
crypto map remote_vpn 20 ipsec-isakmp dynamic dynmap
username cisco password cisco123
aaa-server LOCAL protocol local
crypto map remote_vpn client authentication LOCAL
crypto map remote_vpn client configuration address initiate
crypto map remote_vpn client configuration address respond
with the sample above, the command "crypto map remote_vpn client authentication LOCAL" enables the local authentication; whereas the command "username cisco password cisco123" is used to create the local database.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide