RE: [fw-wiz] SaveUserPassword in Cisco VPN Client with PIX

From: Paul Melson (psmelson_at_comcast.net)
Date: 03/07/05

  • Next message: Scott Stursa: "RE: [fw-wiz] Cisco acls"
    To: <firewall-wizards@honor.icsalabs.com>
    Date: Mon, 7 Mar 2005 10:27:07 -0500
    
    

    First of all, (and you'll probably hear this from plenty of list members),
    not requiring users to authenticate by hand is very risky. Essentially,
    anyone that steals the .PCF file off of any client machine will be able to
    tunnel through your firewall. This is a BAD THING(tm).

    That said, if you're bound and determined to do this, then why use XAUTH at
    all? If you know that certain machines are going to need to connect via VPN
    client, create a vpngroup that only has vpngroup password set (so don't
    specify authentication-server, secure-unit-authentication, or
    user-authentication in vpngroup, or crypto map client authentication in the
    corresponding crypto map), create a new profile with just the group name and
    PSK, and install on your client machines. Users double-click on a VPN
    profile and connect without a password prompt.

    IMHO, this is slightly less risky than requiring authentication with a
    password that is stored in the PCF file. Those passwords are stored as
    hashes and susceptible to offline brute-force attacks. If an attacker could
    potentially access your internal network, why on earth would you want to
    also provide them with user credentials to authenticate to directories and
    services that they are now able to communicate via?

    PaulM

    -----Original Message-----
    Subject: [fw-wiz] SaveUserPassword in Cisco VPN Client with PIX

    Hi,

    I have to allow Users using Cisco VPN-Client to save their password locally.
    But whenever they connect to the central PIX, the Attribute
    "SaveUserPassword" in the connection profile is reset.

    How can i define the PIX Policy on saved passwords?

    I once had this working while playing with secure-unit-authentication. But i
    cant get it back.

    Can anyone help me?

    Regards, Christian Eich

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Scott Stursa: "RE: [fw-wiz] Cisco acls"

    Relevant Pages

    • Re: [fw-wiz] SaveUserPassword in Cisco VPN Client with PIX
      ... > not requiring users to authenticate by hand is very risky. ... > anyone that steals the .PCF file off of any client machine will be able to ... If you know that certain machines are going to need to connect via VPN ...
      (Firewall-Wizards)
    • Re: SSPI for machine identity
      ... You will authenticate as domain\machinename$ ... > client machine (not the user on the client machine, ... In oter words if a client machine claims to be ... > user authentication, whether the client machine is also what it claims to ...
      (microsoft.public.platformsdk.security)
    • Troubleshooting NIS
      ... ypserv and ypbind come up as running on their respective machines, ... client machine - at first seemed to authenticate and then give "can';t write ... to /home folder" messages and now seems not to authenticate at all. ...  I can see and access the server's home folders from ...
      (Debian-User)
    • Re: Trouble with DCOM Server on XPSP2
      ... - when user/Pass on client machine are the same on server machine ... It seems as if the CoCreateInstanceEx succeeds but the following ... QueryInterface fails due to an illegal user/pass combination. ... How can I force the client not to authenticate on every object access? ...
      (microsoft.public.win32.programmer.networks)