XAUTH gives you the ability to require that users who attempt to create an IPSec tunnel to the Easy VPN Server supply additional identity credentials. XAUTH is a good security procedure. A lot of VPN implementations require that the remote device supply only a preshared key and group name . Both of those parameters are hard-coded on the remote device. What happens if a user 's laptop is stolen? The thief need only start the VPN Client to access corporate resources because no additional identity mechanisms are in place. That is where XAUTH comes into play. You not only require a user to have the correct group name and preshared key, but you also require that the user supply a unique username and password. This step helps ensure that if a remote device is compromised, a VPN tunnel is not established because additional authentication is required. Configuring AAA AuthenticationThe first step in configuring XAUTH is to require the user to supply additional identity credentials. You do so by using AAA authentication. AAA and the components that comprise AAA were discussed in Chapter 5, "Securing Cisco Network Routers Using AAA." With XAUTH, you have all the same features of AAA authentication that we previously discussed. Here again is the command syntax for AAA authentication: Router(config)# aaa authentication login {default list-name } method1 method2 method3 method4 There is one caveat when using XAUTH: You must use the AAA list name that you specified earlier. Here is an example that enables XAUTH using the SECURADMIN list name that was created earlier: Router(config)# aaa authentication login SECURADMIN group RADIUS local Enabling IKE Extended AuthenticationThe final step to enable XAUTH is to apply the AAA authentication method to the crypto map that you created earlier. The command syntax is Router(config)# crypto map map-name seq-num client authentication list list-name The crypto map that we created earlier was named EASYVPN, and the AAA authentication list name that was created is SECURADMIN. Here is an example that uses XAUTH with a crypto map: Router(config)# crypto map EASYVPN client authentication list SECURADMIN By specifying the same crypto map name that was used in the command crypto map EASYVPN 15 ipsec-isakmp dynamic SECURADMIN , we are ensuring that the dynamic crypto map template is used with these clients . Configuring an XAUTH TimeoutYou can also configure the amount of time that the Easy VPN Server will wait for the Easy VPN Remote user to supply a username and password. The command syntax to specify the XAUTH timeout is Router(config)# crypto isakmp xauth timeout seconds To give the user 10 seconds to respond, the command is Router(config)# crypto isakmp xauth timeout 10 |