Adding XAUTH to the Easy VPN Server Configuration

Previous page
Table of content
Next page

XAUTH gives you the ability to require that users who attempt to create an IPSec tunnel to the Easy VPN Server supply additional identity credentials. XAUTH is a good security procedure. A lot of VPN implementations require that the remote device supply only a preshared key and group name . Both of those parameters are hard-coded on the remote device. What happens if a user 's laptop is stolen? The thief need only start the VPN Client to access corporate resources because no additional identity mechanisms are in place.

That is where XAUTH comes into play. You not only require a user to have the correct group name and preshared key, but you also require that the user supply a unique username and password. This step helps ensure that if a remote device is compromised, a VPN tunnel is not established because additional authentication is required.

Configuring AAA Authentication

The first step in configuring XAUTH is to require the user to supply additional identity credentials. You do so by using AAA authentication. AAA and the components that comprise AAA were discussed in Chapter 5, "Securing Cisco Network Routers Using AAA." With XAUTH, you have all the same features of AAA authentication that we previously discussed. Here again is the command syntax for AAA authentication: 

 
 Router(config)# aaa authentication login {default  list-name  }  method1 method2 method3 method4

There is one caveat when using XAUTH: You must use the AAA list name that you specified earlier. Here is an example that enables XAUTH using the SECURADMIN list name that was created earlier: 

 
 Router(config)# aaa authentication login SECURADMIN group RADIUS local

Enabling IKE Extended Authentication

The final step to enable XAUTH is to apply the AAA authentication method to the crypto map that you created earlier. The command syntax is 

 
 Router(config)# crypto map  map-name seq-num  client authentication list  list-name

The crypto map that we created earlier was named EASYVPN, and the AAA authentication list name that was created is SECURADMIN. Here is an example that uses XAUTH with a crypto map: 

 
 Router(config)# crypto map EASYVPN client authentication list SECURADMIN

By specifying the same crypto map name that was used in the command crypto map EASYVPN 15 ipsec-isakmp dynamic SECURADMIN , we are ensuring that the dynamic crypto map template is used with these clients .

Configuring an XAUTH Timeout

You can also configure the amount of time that the Easy VPN Server will wait for the Easy VPN Remote user to supply a username and password. The command syntax to specify the XAUTH timeout is 

 
 Router(config)# crypto isakmp xauth timeout  seconds

To give the user 10 seconds to respond, the command is 

 
 Router(config)# crypto isakmp xauth timeout 10

Previous page
Table of content
Next page
CCSP SECUR Exam Cram 2
CCSP SECUR Exam Cram 2 (642-501)
ISBN: B000MU86IQ
EAN: N/A
Year: 2003
Pages: 291
Authors: Raman Sud
BUY ON AMAZON
Image Processing with LabVIEW and IMAQ Vision
Cisco IP Telephony (CIPT) (Authorized Self-Study) (2nd Edition)
Building Web Applications with UML (2nd Edition)
MySQL Clustering
What is Lean Six Sigma
Programming .Net Windows Applications
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy