RE: SaveUserPassword in Cisco VPN Client with PIX

["R. Benjamin Kessler" <rbk () midwestnsg com>]

What about using certificates instead?  Recent versions of the Cisco VPN
client offers this as a method of authentication instead of passwords;
this would help fix the end-user "problem" without creating a potential
stolen laptop security risk.

~~~~~~~~~~
R. Benjamin Kessler
Sr. Network Consultant
CCIE #8762, CISSP, CCSE
Midwest Network Services Group
Email: rbk () midwestnsg com
http://www.midwestnsg.com
Phone: 260-625-3273

> -----Original Message-----
> From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-
> admin () honor icsalabs com] On Behalf Of Paul Melson
> Sent: Monday, March 07, 2005 4:32 PM
> To: 'Christian Eich'
> Cc: firewall-wizards () honor icsalabs com
> Subject: RE: [fw-wiz] SaveUserPassword in Cisco VPN Client with PIX
>
> Christian,
>
> If it's worth keeping individual users access separate, then IMHO it
is
> still worth making them sign on manually, even if the password is only
> useful for a handful of things.
>
> Write-protecting the .pcf file will maintain SaveUserPassword=1.  This
is
> probably easier than asking the PIX to do it.  I think you would have
to
> use
> some variation of 'isakmp peer ... no-config-mode' since IKE Config
Mode
> is
> what sets this policy on the client (along with DNS/WINS/domain,
etc.).
> This is really meant to allow site-to-site tunnels to share isakmp and
> crypto map configs with VPN clients on the same PIX by creating
exceptions
> for specific peer addresses.  Using this with a large number of VPN
> clients
> would be messy.  Neither means is especially elegant.
>
> PaulM
>
>
> -----Original Message-----
> Subject: Re: [fw-wiz] SaveUserPassword in Cisco VPN Client with PIX
>
> Good Point :-)
>
> First of all, these passwords are not the ones used in the internal
> network.
> The VPN doesn't even end in the internal network.
>
> The VPN is used for 500 sales people who get email and downloads that
are
> individually prepared for them (mostly updates on contracts which are
> already stored on the notebook). So if someone steals that notebook he
> already has the data. The stored password only provides him with
> subsequent
> updates plus email.
>
> On the other hand these people come and go. So we need to lock them
out
> individually when they leave the company. Therefore we want to use
XAUTH.
> I hope this explains why I want to do it. I just dont know how.
>
> I'm currently testing a suggestion to write protect the pcf file.
You'll
> get
> a summary on the solution, one i got it working.
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards