RE: [fw-wiz] SaveUserPassword in Cisco VPN Client with PIX

From: Paul Melson (
Date: 03/07/05

  • Next message: Scott Stursa: "RE: [fw-wiz] Cisco acls"
    To: <>
    Date: Mon, 7 Mar 2005 10:27:07 -0500

    First of all, (and you'll probably hear this from plenty of list members),
    not requiring users to authenticate by hand is very risky. Essentially,
    anyone that steals the .PCF file off of any client machine will be able to
    tunnel through your firewall. This is a BAD THING(tm).

    That said, if you're bound and determined to do this, then why use XAUTH at
    all? If you know that certain machines are going to need to connect via VPN
    client, create a vpngroup that only has vpngroup password set (so don't
    specify authentication-server, secure-unit-authentication, or
    user-authentication in vpngroup, or crypto map client authentication in the
    corresponding crypto map), create a new profile with just the group name and
    PSK, and install on your client machines. Users double-click on a VPN
    profile and connect without a password prompt.

    IMHO, this is slightly less risky than requiring authentication with a
    password that is stored in the PCF file. Those passwords are stored as
    hashes and susceptible to offline brute-force attacks. If an attacker could
    potentially access your internal network, why on earth would you want to
    also provide them with user credentials to authenticate to directories and
    services that they are now able to communicate via?


    -----Original Message-----
    Subject: [fw-wiz] SaveUserPassword in Cisco VPN Client with PIX


    I have to allow Users using Cisco VPN-Client to save their password locally.
    But whenever they connect to the central PIX, the Attribute
    "SaveUserPassword" in the connection profile is reset.

    How can i define the PIX Policy on saved passwords?

    I once had this working while playing with secure-unit-authentication. But i
    cant get it back.

    Can anyone help me?

    Regards, Christian Eich

    firewall-wizards mailing list

  • Next message: Scott Stursa: "RE: [fw-wiz] Cisco acls"