[vpn] Authenticating VPN Client 3.0 to PIX (sans TACACS+, sans Radius, sans CA)
Chris_Barker at westlb-systems.co.jp
Chris_Barker at westlb-systems.co.jp
Fri Feb 15 01:44:36 EST 2002
The PIX does not have any kind of local user database so you need either a
Radius/TACACS+ or CA as a way to identify your users unless you have fixed
source IP addresses and use pre-shared secrets. Kind of throwing away your
security, but that is a different matter. Personally I use Radius to identify
users to an ACE/Server to identify my users and certificates to identify my
machines.
Chris Barker
APAC Regional IT Security Officer
WestLB Systems Tokyo Branch
|---------->
| |
|---------->
>-------------------------------------------------------------------->
| |
| |
|the_martyr at hushmail.com |
| |
| |
| |
| |
|02/15/02 11:06 AM |
| |
| |
| |
| |
| |
>-------------------------------------------------------------------->
>---------------------------------|
| |
| |
| |
| |
| |
| |
| |
| |
>---------------------------------|
To: vpn at securityfocus.com
cc: (bcc: Chris Barker/TKY/WestLB-Systems/WLB)
Subject: [vpn] Authenticating VPN Client 3.0 to PIX (sans
TACACS+, sans Radius, sans CA)
Hi All,
I am attempting to get information for configuring a
PIX Firewall (running version 6.1(1)) to accept
connections from users running Cisco's VPN Client
3.0 software (without a TACACS+ or Radius server).
Does anyone know how to authenticate the users
directly to the PIX (username/password) rather than
to an external TACACS+ or Radius server? I'm not
intending to use the CA certificate option either. As of
yet, I've been unable to find *any* documentation on
the subject.
If a Linux firewall running Freeswan can do this sort
of thing with Network Associates' PGPNet software, I
would expect a PIX to be able to this with Cisco-
produced VPN software.
I sent this same request for info to the Cisco TAC
and have yet to hear back from them.
Thanks for any help on the subject!
Justin
VPN is sponsored by SecurityFocus.com
Diese Nachricht ist vertraulich. Sie ist ausschliesslich fuer
den im Adressfeld ausgewiesenen Adressaten bestimmt.
Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten
wir um eine kurze Nachricht. Jede unbefugte Weiterleitung
oder Fertigung einer Kopie ist unzulaessig. Da wir nicht die
Echtheit oder Vollstaendigkeit der in dieser Nachricht
enthaltenen Informationen garantieren koennen, schliessen wir
die rechtliche Verbindlichkeit der vorstehenden Erklaerungen
und Aeusserungen aus. Wir verweisen in diesem Zusammenhang
auch auf die fuer die Bank geltenden Regelungen ueber die
Verbindlichkeit von Willenserklaerungen mit verpflichtendem
Inhalt, die in den bankueblichen Unterschriftenverzeichnissen
bekannt gemacht werden.
This message is confidential and may be privileged. It is
intended solely for the named addressee. If you are not the
intended recipient please inform us. Any unauthorised
dissemination, distribution or copying hereof is prohibited.
As we cannot guarantee the genuineness or completeness of
the information contained in this message, the statements
set forth above are not legally binding. In connection
therewith, we also refer to the governing regulations of
WestLB concerning signatory authority published in the
standard bank signature lists with regard to the legally
binding effect of statements made with the intent to
obligate WestLB.
VPN is sponsored by SecurityFocus.com
More information about the VPN
mailing list