Firewall Wizards mailing list archives
RE: SaveUserPassword in Cisco VPN Client with PIX
From: "Paul Melson" <psmelson () comcast net>
Date: Mon, 7 Mar 2005 10:27:07 -0500
First of all, (and you'll probably hear this from plenty of list members), not requiring users to authenticate by hand is very risky. Essentially, anyone that steals the .PCF file off of any client machine will be able to tunnel through your firewall. This is a BAD THING(tm). That said, if you're bound and determined to do this, then why use XAUTH at all? If you know that certain machines are going to need to connect via VPN client, create a vpngroup that only has vpngroup password set (so don't specify authentication-server, secure-unit-authentication, or user-authentication in vpngroup, or crypto map client authentication in the corresponding crypto map), create a new profile with just the group name and PSK, and install on your client machines. Users double-click on a VPN profile and connect without a password prompt. IMHO, this is slightly less risky than requiring authentication with a password that is stored in the PCF file. Those passwords are stored as hashes and susceptible to offline brute-force attacks. If an attacker could potentially access your internal network, why on earth would you want to also provide them with user credentials to authenticate to directories and services that they are now able to communicate via? PaulM -----Original Message----- Subject: [fw-wiz] SaveUserPassword in Cisco VPN Client with PIX Hi, I have to allow Users using Cisco VPN-Client to save their password locally. But whenever they connect to the central PIX, the Attribute "SaveUserPassword" in the connection profile is reset. How can i define the PIX Policy on saved passwords? I once had this working while playing with secure-unit-authentication. But i cant get it back. Can anyone help me? Regards, Christian Eich _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- SaveUserPassword in Cisco VPN Client with PIX Christian Eich (Mar 04)
- RE: SaveUserPassword in Cisco VPN Client with PIX Paul Melson (Mar 09)
- <Possible follow-ups>
- Re: SaveUserPassword in Cisco VPN Client with PIX Christian Eich (Mar 09)
- RE: SaveUserPassword in Cisco VPN Client with PIX Paul Melson (Mar 09)
- RE: SaveUserPassword in Cisco VPN Client with PIX R. Benjamin Kessler (Mar 12)