11-06-2002 08:31 AM - edited 02-21-2020 12:09 PM
I tried to configure VPN with Xauth using local authentication on 6.2 code and couldn't get it to work. Has anyone found a way to do this? Is it planned for future releases? This pix is only authenticating a handfull of users and Radius/Tacacs+ is overkill, I just want to enter a few username/password combinations in the config.
11-06-2002 12:49 PM
I have used it and it works great; however, I would still use a RADIUS. MS makes a RADIUS server that is include with advance Server and Win NT Option Pack
11-26-2002 05:25 AM
I have a customer that we set up VPN on a PIX 515 to work with Ciscos Secure Client 1.1 The customer would like to authentication to their vpn. They have only about 5 salespeople who use this vpn access. They run a novell environment with no microsoft servers. They have no radius servers. I was told by a cisco engineer in the spring of 2002 that the new 6.x version of software would include local Xauth. If this is true, how (or what ) are the commands. I have to upgrade their current code (5.3)
11-26-2002 07:50 AM
The new 6.2 does include local xauth but not for vpn. Perhaps you should go back and talk to that engineer to find out when, if ever, local xauth will be supported for vpn authentication. Otherwise you will need some type of radius server as you mentioned you have none.
Kurtis Durrett
11-11-2002 11:34 PM
Pix doesn't support local XAUTH authentication. I'd guess it won't be included in future code, since this is a "sell-up" to the concentrators....but who knows!
However, You can use any Windows 2000 Server on your network to authenticate via Internet Authentication Service.
See the technote on cco here:
11-12-2002 06:14 AM
Thanks Jeff, that is kinda what I thought. This client's environment is all NT4 still and I know there is a MS Radius server, but that isn't practical in this situation. Local Xauth on the pix seems like a simple solution though. You may be right in the thinking that Cisco doesn't want to give it too much functionality and hurt the concentrator sales. I think sometimes Cisco's thinking is always big companies/big networks, they don't realize that someone would want to connect just a handful of VPN users to a pix.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide