RE: [fw-wiz] SaveUserPassword in Cisco VPN Client with PIX

From: R. Benjamin Kessler (rbk_at_midwestnsg.com)
Date: 03/11/05

  • Next message: Marcus J. Ranum: "Re: [fw-wiz] MJR on Linux/OSS"
    To: <firewall-wizards@honor.icsalabs.com>
    Date: Fri, 11 Mar 2005 13:35:35 -0500
    
    

    What about using certificates instead? Recent versions of the Cisco VPN
    client offers this as a method of authentication instead of passwords;
    this would help fix the end-user "problem" without creating a potential
    stolen laptop security risk.

    ~~~~~~~~~~
    R. Benjamin Kessler
    Sr. Network Consultant
    CCIE #8762, CISSP, CCSE
    Midwest Network Services Group
    Email: rbk@midwestnsg.com
    http://www.midwestnsg.com
    Phone: 260-625-3273

    > -----Original Message-----
    > From: firewall-wizards-admin@honor.icsalabs.com
    [mailto:firewall-wizards-
    > admin@honor.icsalabs.com] On Behalf Of Paul Melson
    > Sent: Monday, March 07, 2005 4:32 PM
    > To: 'Christian Eich'
    > Cc: firewall-wizards@honor.icsalabs.com
    > Subject: RE: [fw-wiz] SaveUserPassword in Cisco VPN Client with PIX
    >
    > Christian,
    >
    > If it's worth keeping individual users access separate, then IMHO it
    is
    > still worth making them sign on manually, even if the password is only
    > useful for a handful of things.
    >
    > Write-protecting the .pcf file will maintain SaveUserPassword=1. This
    is
    > probably easier than asking the PIX to do it. I think you would have
    to
    > use
    > some variation of 'isakmp peer ... no-config-mode' since IKE Config
    Mode
    > is
    > what sets this policy on the client (along with DNS/WINS/domain,
    etc.).
    > This is really meant to allow site-to-site tunnels to share isakmp and
    > crypto map configs with VPN clients on the same PIX by creating
    exceptions
    > for specific peer addresses. Using this with a large number of VPN
    > clients
    > would be messy. Neither means is especially elegant.
    >
    > PaulM
    >
    >
    > -----Original Message-----
    > Subject: Re: [fw-wiz] SaveUserPassword in Cisco VPN Client with PIX
    >
    > Good Point :-)
    >
    > First of all, these passwords are not the ones used in the internal
    > network.
    > The VPN doesn't even end in the internal network.
    >
    > The VPN is used for 500 sales people who get email and downloads that
    are
    > individually prepared for them (mostly updates on contracts which are
    > already stored on the notebook). So if someone steals that notebook he
    > already has the data. The stored password only provides him with
    > subsequent
    > updates plus email.
    >
    > On the other hand these people come and go. So we need to lock them
    out
    > individually when they leave the company. Therefore we want to use
    XAUTH.
    >
    > I hope this explains why I want to do it. I just dont know how.
    >
    > I'm currently testing a suggestion to write protect the pcf file.
    You'll
    > get
    > a summary on the solution, one i got it working.
    >
    >
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@honor.icsalabs.com
    > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Marcus J. Ranum: "Re: [fw-wiz] MJR on Linux/OSS"

    Relevant Pages

    • RE: SBS 2003 VPN issue through ISA
      ... The XP clients and the TS are in the same network and same domain. ... connections are established from the clients themselves using Cisco VPN ... appears ISA is somehow dropping the connection according to the logs. ...
      (microsoft.public.windows.server.sbs)
    • Re: Mapping a Network Drive in XP Results in asking for login cred
      ... If they are not in the office, then they open a VPN session to the server. ... Noone has changed their passwords at all, and I've been combing over the ... Recently an issue arose that occurs when mapping a network drive. ...
      (microsoft.public.windows.server.sbs)
    • Re: Unable to access hosts by name across a PPTP VPN connection
      ... How many remote clients ... Home) will only accept one incoming VPN connection at a time using the ... network and as new machines are used as VPN clients. ...
      (microsoft.public.windowsxp.work_remotely)
    • How to setup VPNING on Windows XP
      ... 3.Click on "Create a connection to the network at your workplace". ... 8.If you want to add the VPN connection shortcut to your desktop, then check the appropriate check box and click on "Finish" button to complete the VPN connection Wizard. ... I'm running Windows 2000 server and have 4 client PC's on a local network. ... The server provides addresses via DHCP to the clients. ...
      (microsoft.public.windows.server.networking)
    • Re: Cant locate resources by name... I have to use their IPs
      ... Make sure the ISA firewall assigns VPN clients a WINS server address. ... > When I VPN into our network from home, I can't find computers, servers, ...
      (microsoft.public.isa.vpn)