RE: [fw-wiz] SaveUserPassword in Cisco VPN Client with PIX

From: R. Benjamin Kessler (
Date: 03/11/05

  • Next message: Marcus J. Ranum: "Re: [fw-wiz] MJR on Linux/OSS"
    To: <>
    Date: Fri, 11 Mar 2005 13:35:35 -0500

    What about using certificates instead? Recent versions of the Cisco VPN
    client offers this as a method of authentication instead of passwords;
    this would help fix the end-user "problem" without creating a potential
    stolen laptop security risk.

    R. Benjamin Kessler
    Sr. Network Consultant
    CCIE #8762, CISSP, CCSE
    Midwest Network Services Group
    Phone: 260-625-3273

    > -----Original Message-----
    > From:
    >] On Behalf Of Paul Melson
    > Sent: Monday, March 07, 2005 4:32 PM
    > To: 'Christian Eich'
    > Cc:
    > Subject: RE: [fw-wiz] SaveUserPassword in Cisco VPN Client with PIX
    > Christian,
    > If it's worth keeping individual users access separate, then IMHO it
    > still worth making them sign on manually, even if the password is only
    > useful for a handful of things.
    > Write-protecting the .pcf file will maintain SaveUserPassword=1. This
    > probably easier than asking the PIX to do it. I think you would have
    > use
    > some variation of 'isakmp peer ... no-config-mode' since IKE Config
    > is
    > what sets this policy on the client (along with DNS/WINS/domain,
    > This is really meant to allow site-to-site tunnels to share isakmp and
    > crypto map configs with VPN clients on the same PIX by creating
    > for specific peer addresses. Using this with a large number of VPN
    > clients
    > would be messy. Neither means is especially elegant.
    > PaulM
    > -----Original Message-----
    > Subject: Re: [fw-wiz] SaveUserPassword in Cisco VPN Client with PIX
    > Good Point :-)
    > First of all, these passwords are not the ones used in the internal
    > network.
    > The VPN doesn't even end in the internal network.
    > The VPN is used for 500 sales people who get email and downloads that
    > individually prepared for them (mostly updates on contracts which are
    > already stored on the notebook). So if someone steals that notebook he
    > already has the data. The stored password only provides him with
    > subsequent
    > updates plus email.
    > On the other hand these people come and go. So we need to lock them
    > individually when they leave the company. Therefore we want to use
    > I hope this explains why I want to do it. I just dont know how.
    > I'm currently testing a suggestion to write protect the pcf file.
    > get
    > a summary on the solution, one i got it working.
    > _______________________________________________
    > firewall-wizards mailing list

    firewall-wizards mailing list

  • Next message: Marcus J. Ranum: "Re: [fw-wiz] MJR on Linux/OSS"