This section intriduces two Easy VPN Remote Authentication methods,
Secure Unit Authentication (SUA) and Individual User Authentication (IUA).
SUA is a feature introduced with PIX Security Appliance Software Version 6.3
to improve security when using a PIX as an Easy VPN Remote device. With SUA,
one-time passwords, two-factor authentication, and similar authentication
schemes can be used to authenticate the remote PIX before establishing a VPN
tunnel to an Easy VPN Server. SUA is configured as part of the VPN policy on
the Easy VPN Server and cannot be configured directly on the Easy VPN Remote
device. After connecting to the Easy VPN Server, the Easy VPN Remote device
downloads the VPN policy, which then enables or disables SUA.
When SUA is
disabled and the PIX Security Appliance is in network extension mode, a
connection is automatically initiated. When SUA is disabled with client mode,
the connection is automatically initiated whenever any traffic is sent through
the PIX to a network protected by the Easy VPN Server.
When SUA is
enabled, static credentials included in the local configuration of the Easy VPN
Remote device are ignored. A connection request is initiated as soon as an HTTP
request is sent from the remote network to the network protected by the Easy
VPN Server. All other traffic to the network protected by the Easy VPN Server
is dropped until a VPN tunnel is established. A connection request can also be
initiated from the CLI of the Easy VPN Remote device.
After SUA is
enabled and before a VPN tunnel is established, any HTTP request to the network
protected by the Easy VPN Server is redirected to the URL as follows:
https://inside-ipaddr
/vpnclient/connstatus.html
Where inside-ipaddr
is replaced by the IP address of the inside interface of the PIX Security
Appliance used as the Easy VPN Remote device. The connection can be activated
manually by entering this URL in the Address or Location box of a browser. This
URL can also be used to check the status of the VPN tunnel. This URL provides a
page containing a Connect link that displays an authentication page. If
authentication is successful, the VPN tunnel is established. After the VPN
tunnel is established, other users on the network protected by the Easy VPN
Remote device can access the network protected by the Easy VPN Server without
further authentication.
Enable SUA by entering the following command at
the Easy VPN Server
:
vpngroup groupname
secure-unit-authentication
Replace
groupname with an alphanumeric identifier for the VPN group
using SUA.
If it is necessary to control access by individual users
behind the Easy VPN remote device, IUA can be implemented. IUA causes clients
on the inside network of the Easy VPN Remote to be individually authenticated
based on the IP address of the inside client. IUA supports authentication with
both static and dynamic password mechanisms.
IUA is enabled by means of
the downloaded VPN policy and it cannot be configured locally. When IUA is
enabled, each user on the network protected by the Easy VPN Remote device is
prompted for a user name and password when trying to initiate a connection. A
PIX Security Appliance acting as an Easy VPN Server downloads the contact
information for the AAA server to the Easy VPN Remote device, which sends each
authentication request directly to the AAA server. A PIX Security Appliance
Easy VPN Server performs proxy authentication to the AAA server. The Easy VPN
Remote device sends each authentication request to the Easy VPN Server.
IUA supports individually authenticating clients on the inside network of
the Easy VPN Remote, based on the IP address of each inside client. IUA
supports both static and one-time password (OTP) authentication mechanisms. IUA
is enabled by means of the downloaded VPN policy and it cannot be configured
locally. To enable IUA on a PIX Security Appliance used as the Easy VPN Server,
enter the following command
:
vpngroup groupname
user-authentication
This command enables
individual user authentication for the VPN group identified by
groupname.
To specify the length of time that a VPN
tunnel can remain open without user activity, enter the following command:
vpngroup groupname user-idle-timeout {
hh: mm: ss}
This
command specifies the length of time for the specified VPN group in hours,
minutes, and seconds
(hh:mm:ss).
To specify
the AAA server to use for IUA on a PIX Security Appliance being used as the
Easy VPN Server, enter the following command:
vpngroup
groupname authentication-server
server_tag
This command specifies the AAA
server identified by server_tag for the VPN group
identified by groupname.