Configure a PIX 501 or 506E as an Easy VPN Client
Easy VPN Remote authentication

This section intriduces two Easy VPN Remote Authentication methods, Secure Unit Authentication (SUA) and Individual User Authentication (IUA).

SUA is a feature introduced with PIX Security Appliance Software Version 6.3 to improve security when using a PIX as an Easy VPN Remote device. With SUA, one-time passwords, two-factor authentication, and similar authentication schemes can be used to authenticate the remote PIX before establishing a VPN tunnel to an Easy VPN Server. SUA is configured as part of the VPN policy on the Easy VPN Server and cannot be configured directly on the Easy VPN Remote device. After connecting to the Easy VPN Server, the Easy VPN Remote device downloads the VPN policy, which then enables or disables SUA.

When SUA is disabled and the PIX Security Appliance is in network extension mode, a connection is automatically initiated. When SUA is disabled with client mode, the connection is automatically initiated whenever any traffic is sent through the PIX to a network protected by the Easy VPN Server.

When SUA is enabled, static credentials included in the local configuration of the Easy VPN Remote device are ignored. A connection request is initiated as soon as an HTTP request is sent from the remote network to the network protected by the Easy VPN Server. All other traffic to the network protected by the Easy VPN Server is dropped until a VPN tunnel is established. A connection request can also be initiated from the CLI of the Easy VPN Remote device.

After SUA is enabled and before a VPN tunnel is established, any HTTP request to the network protected by the Easy VPN Server is redirected to the URL as follows:

https://inside-ipaddr /vpnclient/connstatus.html

Where inside-ipaddr is replaced by the IP address of the inside interface of the PIX Security Appliance used as the Easy VPN Remote device. The connection can be activated manually by entering this URL in the Address or Location box of a browser. This URL can also be used to check the status of the VPN tunnel. This URL provides a page containing a Connect link that displays an authentication page. If authentication is successful, the VPN tunnel is established. After the VPN tunnel is established, other users on the network protected by the Easy VPN Remote device can access the network protected by the Easy VPN Server without further authentication.

Enable SUA by entering the following command at the Easy VPN Server :

vpngroup groupname secure-unit-authentication

Replace groupname with an alphanumeric identifier for the VPN group using SUA.

If it is necessary to control access by individual users behind the Easy VPN remote device, IUA can be implemented. IUA causes clients on the inside network of the Easy VPN Remote to be individually authenticated based on the IP address of the inside client. IUA supports authentication with both static and dynamic password mechanisms.

IUA is enabled by means of the downloaded VPN policy and it cannot be configured locally. When IUA is enabled, each user on the network protected by the Easy VPN Remote device is prompted for a user name and password when trying to initiate a connection. A PIX Security Appliance acting as an Easy VPN Server downloads the contact information for the AAA server to the Easy VPN Remote device, which sends each authentication request directly to the AAA server. A PIX Security Appliance Easy VPN Server performs proxy authentication to the AAA server. The Easy VPN Remote device sends each authentication request to the Easy VPN Server.

IUA supports individually authenticating clients on the inside network of the Easy VPN Remote, based on the IP address of each inside client. IUA supports both static and one-time password (OTP) authentication mechanisms. IUA is enabled by means of the downloaded VPN policy and it cannot be configured locally. To enable IUA on a PIX Security Appliance used as the Easy VPN Server, enter the following command :

vpngroup groupname user-authentication

This command enables individual user authentication for the VPN group identified by groupname.

To specify the length of time that a VPN tunnel can remain open without user activity, enter the following command:

vpngroup groupname user-idle-timeout { hh: mm: ss}

This command specifies the length of time for the specified VPN group in hours, minutes, and seconds (hh:mm:ss).

To specify the AAA server to use for IUA on a PIX Security Appliance being used as the Easy VPN Server, enter the following command:

vpngroup groupname authentication-server server_tag

This command specifies the AAA server identified by server_tag for the VPN group identified by groupname.