Firewall Wizards mailing list archives
RE: SaveUserPassword in Cisco VPN Client with PIX
From: "R. Benjamin Kessler" <rbk () midwestnsg com>
Date: Fri, 11 Mar 2005 13:35:35 -0500
What about using certificates instead? Recent versions of the Cisco VPN client offers this as a method of authentication instead of passwords; this would help fix the end-user "problem" without creating a potential stolen laptop security risk. ~~~~~~~~~~ R. Benjamin Kessler Sr. Network Consultant CCIE #8762, CISSP, CCSE Midwest Network Services Group Email: rbk () midwestnsg com http://www.midwestnsg.com Phone: 260-625-3273
-----Original Message----- From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-
admin () honor icsalabs com] On Behalf Of Paul Melson Sent: Monday, March 07, 2005 4:32 PM To: 'Christian Eich' Cc: firewall-wizards () honor icsalabs com Subject: RE: [fw-wiz] SaveUserPassword in Cisco VPN Client with PIX Christian, If it's worth keeping individual users access separate, then IMHO it
is
still worth making them sign on manually, even if the password is only useful for a handful of things. Write-protecting the .pcf file will maintain SaveUserPassword=1. This
is
probably easier than asking the PIX to do it. I think you would have
to
use some variation of 'isakmp peer ... no-config-mode' since IKE Config
Mode
is what sets this policy on the client (along with DNS/WINS/domain,
etc.).
This is really meant to allow site-to-site tunnels to share isakmp and crypto map configs with VPN clients on the same PIX by creating
exceptions
for specific peer addresses. Using this with a large number of VPN clients would be messy. Neither means is especially elegant. PaulM -----Original Message----- Subject: Re: [fw-wiz] SaveUserPassword in Cisco VPN Client with PIX Good Point :-) First of all, these passwords are not the ones used in the internal network. The VPN doesn't even end in the internal network. The VPN is used for 500 sales people who get email and downloads that
are
individually prepared for them (mostly updates on contracts which are already stored on the notebook). So if someone steals that notebook he already has the data. The stored password only provides him with subsequent updates plus email. On the other hand these people come and go. So we need to lock them
out
individually when they leave the company. Therefore we want to use
XAUTH.
I hope this explains why I want to do it. I just dont know how. I'm currently testing a suggestion to write protect the pcf file.
You'll
get a summary on the solution, one i got it working. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- SaveUserPassword in Cisco VPN Client with PIX Christian Eich (Mar 04)
- RE: SaveUserPassword in Cisco VPN Client with PIX Paul Melson (Mar 09)
- <Possible follow-ups>
- Re: SaveUserPassword in Cisco VPN Client with PIX Christian Eich (Mar 09)
- RE: SaveUserPassword in Cisco VPN Client with PIX Paul Melson (Mar 09)
- RE: SaveUserPassword in Cisco VPN Client with PIX R. Benjamin Kessler (Mar 12)