Configuring Automatic Xauth Authentication - Cisco FirePOWER ASA 5500 series Configuration Manual

Security appliance command line
Hide thumbs Also See for FirePOWER ASA 5500 series:
Table of Contents

Advertisement

Configuring Automatic Xauth Authentication

Configuring Automatic Xauth Authentication
The ASA 5505 configured as an Easy VPN hardware client automatically authenticates when it connects
to the Easy VPN server if all of the following conditions are true:
Enter the following command in global configuration mode to configure the Xauth username and
password:
You can use up to 64 characters for each.
For example, enter the following command to configure the Easy VPN hardware client to use the
XAUTH username testuser and password ppurkm1:
hostname(config)# vpnclient username testuser password ppurkm1
hostname(config)#
To remove the username and password from the running configuration, enter the following command:
For example:
hostname(config)# no vpnclient username
hostname(config)#
Configuring IPSec Over TCP
By default, the Easy VPN hardware client and server encapsulate IPSec in User Datagram Protocol
(UDP) packets. Some environments, such as those with certain firewall rules, or NAT and PAT devices,
prohibit UDP. To use standard Encapsulating Security Protocol (ESP, Protocol 50) or Internet Key
Exchange (IKE, UDP 500) in such environments, you must configure the client and the server to
encapsulate IPSec within TCP packets to enable secure tunneling. If your environment allows UDP,
however, configuring IPSec over TCP adds unnecessary overhead.
To configure the Easy VPN hardware client to use TCP-encapsulated IPSec, enter the following
command in global configuration mode:
The Easy VPN hardware client uses port 10000 if the command does not specify a port number.
If you configure an ASA 5505 to use TCP-encapsulated IPSec, enter the following command to let it
send large packets over the outside interface:
hostname(config)# crypto ipsec df-bit clear-df outside
hostname(config)#
Cisco Security Appliance Command Line Configuration Guide
34-4
Secure unit authentication is disabled on the server.
The server requests IKE Extended Authenticate (Xauth) credentials.
Xauth provides the capability of authenticating a user within IKE using TACACS+ or RADIUS.
Xauth authenticates a user (in this case, the Easy VPN hardware client) using RADIUS or any of the
other supported user authentication protocols.
The client configuration contains an Xauth username and password.
vpnclient username xauth_username password xauth password
no vpnclient username
vpnclient ipsec-over-tcp [port tcp_port]
Chapter 34
Configuring Easy VPN Services on the ASA 5505
OL-10088-01

Advertisement

Table of Contents
loading

This manual is also suitable for:

Pix 500 seriesCisco asa 5500 series

Table of Contents