Pix515e EasyVPN Svr - Cisco837 EasyVPN HW Clt : Adding authentication

tounkara · ‎02-25-2005

Question : How to add a AAA authentication of the users' Remote Site?

I Have a VPN established from a Remote Site with Cisco 837 EasyVPN Hardware Client to a PIX515e EasyVPN Server of the Central Site. Please find below config files

PS : I have CiscoSecure ACS software installed on Central Site.

*** Central Site : PIX EasyVPN Config ***

sysopt connection permit-ipsec

crypto ipsec transform-set strong-des esp-3des esp-sha-hmac

crypto dynamic-map CISCO 4 set transform-set strong-des

crypto map agence-map 20 ipsec-isakmp dynamic CISCO

crypto map agence-map interface outside

isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp identity address

isakmp policy 8 authentication pre-share

isakmp policy 8 encryption 3des

isakmp policy 8 hash md5

isakmp policy 8 group 2

isakmp policy 8 lifetime 86400

vpngroup vpn-client address-pool vpn-client

vpngroup vpn-client dns-server 10.0.0.2

vpngroup vpn-client default-domain mysite.com

vpngroup vpn-client split-tunnel 80

vpngroup vpn-client idle-time 1800

vpngroup vpn-client password ********

***

*** Remote Site : Cisco 837 easyVPN config ***

!

crypto ipsec client ezvpn hw-client

connect auto

group vpn-client key ********

mode client

peer 191.168.12.4 <---- PIX External IP @

!

****

Regards.

sasa.rasovic · ‎02-25-2005

Hello,

You should add these lines on your central site:

0. aaa-server name_of_the_group protocol radius/tacacs

1. aaa-server name_of_the_group (interface) host IP_address_of_AAA_Server key

2. crypto map agence-map client authentication name_of_the_group

Good luck,

Sasa

tounkara · ‎02-25-2005

Thanks Sasa.

With this config, the users inside the Remote Site will receive a popup to enter username/password before the VPN tunnel can be established?

The objective is :

- Authenticate individually the users before the VPN is established

or

- After the VPN is established, each user is authenticated before accessing ressources of the Central Site

Regards.

sasa.rasovic · ‎02-25-2005

This depends on whether you are using saved username/passwords or user-entered, and whether you are using manual or auto connect option on your EasyVPN client.

You can set 'connect auto | manual' command...in case you are using auto, your user will be propted for password, but in case you are using manual, your client will have to enter: 'crypto ipsec client ezvpn connect' and then the password.

The same stands for saved passwords/usernames...you can save them on your EasyVPN, or let your users enter them on their own.

In both cases, users get authenticated before the VPN tunnel is established, because xauth is actually a feature of IKE itself.

I hope this helps.

Good luck,

Sasa

tounkara · ‎03-15-2005

Hi sasa,

It works! Thanks for your help.

PS

---

To enter the VPN login password information:

You can't store it on the EZVPN Router Client with the "username password" command (the PIX eZVPN server doesn't allow it). So you have to manually enter it during IKE negociation.

2 ways to do :

1. on the router CLI itself. During the IKE negociation, you receive a prompt to enter the information. Not really convenient if the user is not a technical individual.

2. Simplest way is to configure the eZVPN client with Router Web Interface and after that there is a link you can launch to connect the VPN and enter the login password info :http://a.b.c.d/flash/VPNLogin.html where a.b.c.d is the IP address of the router.

Regards