Cisco VPN Client username and password

Discussion in 'Cisco' started by SteveB, Dec 26, 2006.

  1. SteveB


    Oct 3, 2006
    We have a Cisco Pix 506e and we are using the Cisco VPN Client 4.6 on the remote machines. A user at home called today and complained that she was now being prompted for a username and password, which she had never had to supply before. I looked at the firewall configuration and there was a VPN group set up called "remote." Another admin had added a new VPN group and then added a local user called "remote." It's my understanding that you shouldn't have a group name and a local user using the same name.

    I tried removing the "remote" local user, but the client machine continues to think it needs a username and password.

    My question is, can a VPN connection even be configured to only accept a group name and key only or do they all have to have a group name, key, username, and password to authenticate? I am just trying to figure out why she is being asked for a username and password. As far as I can see, the only change to the FW was a new VPN group and an accidental addition of a local user that matched an existing group name.

    I did not set up the firewall or remote clients. I'm just trying to figure out what is going on.
    Last edited: Dec 26, 2006
    SteveB, Dec 26, 2006
    1. Advertisements

  2. professorguy


    Sep 15, 2006
    Some useful info.

    Yes, the PIX can provide 2 levels of authentication: device and user.

    The theory is that even an authenticated user cannot VPN in unless she has an authentic device and even an authentic device needs an authentic user.

    So to authenticate a device, put a password into your vpngroup. This gets entered into the client configuration of the authentic device (by the network admin, representing the owners of the device), and since this is stored in a hard to read format, the user doesn't know what it is. Then if this user didn't have an authentic device, then she couldn't get in with just her own password.

    To authenticate a user, add a user account to the group with the user password which the user will be told.

    So the PIX goes through 2 steps:
    1. Authenticate against the group using the stored client config. If this is not good, terminate the session. If it's OK, continue.
    2. Look for a method of user authentication. If there is none specified, authentication is finished and the group info is enough (this was your previous situation). If there is user auth info, prompt for a username/password.

    We happen to use domain (Active Directory) accounts for our user authentication, but many people put the account info right in the PIX configuration. Once the PIX is set to do user Auth, it will begin prompting for it.

    Adding the accounts certainly did it, since user authentication is now specified by your configuration. So getting rid of the one account will not change anything, you must change it so there is NO user Auth. However, as a professional network admin, I must say Nay, nay. You definitely want user Auth.

    Make sense?
    professorguy, Dec 27, 2006
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. MP
  2. Dave
  3. The Reluctant Robot Named Jude

    Change the username found in "C:\Documents and Settings\Username"

    The Reluctant Robot Named Jude, May 5, 2004, in forum: Computer Support
    May 5, 2004
    Oct 30, 2007
  5. renxianfu
    Sep 9, 2008

Share This Page