Showing results for 
Search instead for 
Did you mean: 

VPN using username/password.

I know I can control access to a VPN using ACL and restrict client and protocols, is there a way I can get it to require a user to enter a username/password and log this to syslog when they use a tunnel?

I require site-site so this is necessary.

Also I am using Cisco 1841 not PIX.


It is possible with vpn 3002 concentrator running minimum 3.5. codes. So, I believe this explanation in vpn 3002 concentrator will be helpful for you also in the 1841 router.

In vpn 3002 concentrator, Under "Client Hardware parameters tab" , there is an option called "Require Individual User Authentication" . Check the "Require Individual User Authentication" check box to enable individual user authentication.

Individual user authentication protects the central site from access by unauthorized persons on the same LAN as the VPN 3002.

When you enable individual user authentication, each user that connects through a VPN 3002 must open a web browser and manually enter a valid username and password to access the network behind the VPN Concentrator, even though the tunnel already exists.


You cannot use the command-line interface to log in if user authentication is enabled.

You must use a browser.

If you have a default home page on the remote network behind the VPN Concentrator, or direct the browser to a website on the remote network behind the VPN Concentrator, the VPN 3002 directs the browser to the proper pages for user login. When you successfully log in, the browser displays the page you originally entered.

If you try to access resources on the network behind the VPN Concentrator that are not web-based, for example, email, the connection will fail until you authenticate.

To authenticate, you must enter the IP address for the private interface of the VPN 3002 in the browser Location or Address field. The browser then displays the login screen for the VPN 3002. Click the Connect/Login Status button to authenticate. One user can log in for a maximum of four sessions simultaneously.

Individual users authenticate according to the order of authentication servers that you configure

for a group. To configure authentication servers for individual user authentication, see the sections,

Configuration | User Management | Base Group/Groups | Authentication Servers | Add/Modify

I did it but with a PIX FW and Downloadable ACL's

you can check all configurations at the next Cisco web documentation


This is something similar for routers and the configuration is in the ACS or Radius server.

Recognize Your Peers
Content for Community-Ad