RE: SaveUserPassword in Cisco VPN Client with PIX

["Paul Melson" <psmelson () comcast net>]

Christian,

If it's worth keeping individual users access separate, then IMHO it is
still worth making them sign on manually, even if the password is only
useful for a handful of things.

Write-protecting the .pcf file will maintain SaveUserPassword=1.  This is
probably easier than asking the PIX to do it.  I think you would have to use
some variation of 'isakmp peer ... no-config-mode' since IKE Config Mode is
what sets this policy on the client (along with DNS/WINS/domain, etc.).
This is really meant to allow site-to-site tunnels to share isakmp and
crypto map configs with VPN clients on the same PIX by creating exceptions
for specific peer addresses.  Using this with a large number of VPN clients
would be messy.  Neither means is especially elegant.

PaulM


-----Original Message-----
Subject: Re: [fw-wiz] SaveUserPassword in Cisco VPN Client with PIX

Good Point :-)

First of all, these passwords are not the ones used in the internal network.
The VPN doesn't even end in the internal network.

The VPN is used for 500 sales people who get email and downloads that are
individually prepared for them (mostly updates on contracts which are
already stored on the notebook). So if someone steals that notebook he
already has the data. The stored password only provides him with subsequent
updates plus email.

On the other hand these people come and go. So we need to lock them out
individually when they leave the company. Therefore we want to use XAUTH.

I hope this explains why I want to do it. I just dont know how.

I'm currently testing a suggestion to write protect the pcf file. You'll get
a summary on the solution, one i got it working.


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards