Cisco Secure VPN Exam Certification Guide - Cisco press

Unit and User Authentication for the VPN 3002 Hardware Client 379

Figure 8-12 Configuration | User Management | Groups | Modify > Client Config

380 Chapter 8: Configuring Cisco 3002 Hardware Client for Remote Access

Configuring Unit and User Authentication

Clicking the HW Client tab brings up the screen for configuring both interactive hardware client authentication and individual user authentication for VPN 3002 Hardware Clients (see Figure 8-13). Recall that interactive hardware client authentication will prompt the user for a specific username and password that must be authenticated by the head-end concentrator before the VPN tunnel will be established. IPSec tunnels are usually only maintained for specified periods of time. When SA lifetimes expire or tunnel time out values are reached, the IPSec tunnels are terminated. When a VPN tunnel does not exist between the VPN 3002 Hardware Client and the head-end concentrator, the first user that requires VPN services through the VPN 3002 Hardware Client will cause the VPN devices to begin establishing the

tunnel. If interactive hardware client authentication has been specified, this initial user will be required to enter the username and password for hardware authentication.

Individual user authentication forces the users connecting through a VPN 3002 Hardware Client to use a web browser for initial VPN access in order to authenticate through the headend concentrator. VPN 3002 Hardware Clients can support many users across a single IPSec tunnel. When individual user authentication is enabled, each user will need to establish their credentials through a web browser. In the case where both interactive hardware client authentication and individual user authentication are required, the initial user that brings up the VPN tunnel will need to enter two different username and password combinations: one for the hardware client, and one for themselves.

On the screen shown in Figure 8-13, checking the Require Individual User Authentication forces the VPN 3002 Hardware Client to prompt the end user for the username and password. This is also the screen that determines the length of time that a tunnel in PAT mode will remain active without any data being passed over the connection. The User Idle Timeout box is used to enter the time in minutes before a connection is dropped for the individual user or the remote site when using PAT mode.

Note the bottom button, which is labeled Cisco IP Phone Bypass. It is imperative that this box be checked if you want to use IP Telephony over your tunnels and you have chosen to require individual user authentication. Failure to check this box will cause the VPN 3002 Hardware Client to attempt to display a web page on the phone, which will fail anytime a user attempts to place a call over the tunnel. Click Add.

You have one more task to accomplish on the VPN Concentrator. That task is to set up your user with a valid name, password, and group assignment. Go to the Configuration | User Management | Users | Add screen and add a user (see Figure 8-14). Set the username and password. Ensure that the group is the same as the group that was just modified.

Unit and User Authentication for the VPN 3002 Hardware Client 381

Figure 8-13 Configuration | User Management | Groups | Modify > HW Client

Figure 8-14 Configuration | User Management | Users | Add

Interactive Hardware Client and Individual User Authentication

After you enable interactive hardware client authentication and/or individual user authentication, the next step is to test the system. From the private side of the VPN 3002 Hardware Client, open a web browser and point it to either the inside IP address of the VPN 3002 Hardware Client or to any IP address reachable through the tunnel. You will be redirected to the VPN 3002 Hardware Client Manager screen.

Unit and User Authentication for the VPN 3002 Hardware Client 385

Figure 8-20 Monitoring | System Status

386 Chapter 8: Configuring Cisco 3002 Hardware Client for Remote Access

Foundation Summary

The Foundation Summary is a collection of tables and figures that provides a convenient review of many key concepts in this chapter. For those aho are already comfortable with the topics in this chapter, this summary could help you recall a few details. For those who just read this chapter, this review should help solidify some key facts. For anyone doing final preparation before the exam, these tables and figures are a convenient way to review the day before the exam.

Configure Preshared Keys

To configure preshared keys, follow these steps:

Step 1 On the concentrator, go to the Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN | Modify screen.

Step 2 Set the IP address of the peer.

Step 3 Set the preshared key.

Step 4 On the VPN 3002 Hardware Client, go to the Configuration | System |

Tunneling Protocols | IPSec screen.

Step 5 Make sure that the Use Certificate box is not checked.

Step 6 Enter the group and password.

Step 7 Enter the user, username, and password.

Troubleshooting IPSec

Follow these steps to troubleshoot IPSec:

Step 1 Ping the private interface of the remote concentrator. If you can get there, IPSec works. If your ping fails, you should proceed to Steps 2 and 3.

Step 2 Set the debug levels for 1–13 on both sides (IKE, IKEDBG, IPSEC,

IPSECDBG).

Step 3 Read and understand the log. It will tell you where the problem lies.

Split Tunnel

Remember the following key points about split tunneling:

•Configured on the head-end VPN 3000 Series Concentrator.

•Permits specific traffic to bypass the VPN tunnel.

•Options for split tunneling are

—Tunnel all traffic.

—Tunnel only traffic contained within a specified network list.

—Do not tunnel traffic contained within a specified network list.