RE: [fw-wiz] SaveUserPassword in Cisco VPN Client with PIX
From: Paul Melson (psmelson_at_comcast.net)
To: <firstname.lastname@example.org> Date: Mon, 7 Mar 2005 10:27:07 -0500
First of all, (and you'll probably hear this from plenty of list members),
not requiring users to authenticate by hand is very risky. Essentially,
anyone that steals the .PCF file off of any client machine will be able to
tunnel through your firewall. This is a BAD THING(tm).
That said, if you're bound and determined to do this, then why use XAUTH at
all? If you know that certain machines are going to need to connect via VPN
client, create a vpngroup that only has vpngroup password set (so don't
specify authentication-server, secure-unit-authentication, or
user-authentication in vpngroup, or crypto map client authentication in the
corresponding crypto map), create a new profile with just the group name and
PSK, and install on your client machines. Users double-click on a VPN
profile and connect without a password prompt.
IMHO, this is slightly less risky than requiring authentication with a
password that is stored in the PCF file. Those passwords are stored as
hashes and susceptible to offline brute-force attacks. If an attacker could
potentially access your internal network, why on earth would you want to
also provide them with user credentials to authenticate to directories and
services that they are now able to communicate via?
Subject: [fw-wiz] SaveUserPassword in Cisco VPN Client with PIX
I have to allow Users using Cisco VPN-Client to save their password locally.
But whenever they connect to the central PIX, the Attribute
"SaveUserPassword" in the connection profile is reset.
How can i define the PIX Policy on saved passwords?
I once had this working while playing with secure-unit-authentication. But i
cant get it back.
Can anyone help me?
Regards, Christian Eich
firewall-wizards mailing list