Saving Your Password in the Cisco VPN Client

It has always been frustrating to have to login to the VPN with a password everytime I have to connect to a client site to check something. Here is how to enable your client to save the password locally on your computer.

First, we need to enable the option on the router or ASA.

1. Connect to the device
2. Check your VPN group name if necessary by doing a 'show run | include crypto isakmp client configuration group'. You should see 'crypto isakmp client configuration group '.
   
3. Enter config mode
4. Enter ISAKMP group configuration mode for the appropriate isakmp group by typing 'crypto isakmp client configuration group <YourVPNGroup>'
   
5. Add the command 'save-password'
6. Example:
   rtr#config t
   rtr(config)#crypto isakmp client configuration group MyVPNGroup
   rtr(config-isakmp-group)# save-password
   rtr(config-isakmp-group)#end

Now connect your VPN client to the device, inputting your username and password as normal. The device should automatically push the privilege to save the password to your VPN client software once you are successfully connected.

Now disconnect the session. Wait a few seconds and reconnect. You should now see the Save Password checkbox in the VPN connection window. Check this box. Input your password for the last time and hit connect.

Your password should now be saved in your VPN client settings and you should no longer need to input it when connecting to this device. Verify that this is working by disconnecting and reconnecting one more time. Then save the config with a wr mem if everything looks good.

A Show Run should show you something like this now for your VPN group. Note that the save-password option is there now.
crypto isakmp client configuration group <YourVPNGroup>
key
dns save-password pool
acl
save-password
include-local-lan
max-users 5
netmask 255.255.255.0

Cisco Documentation

save-password

To save your extended authentication (Xauth) password locally on your PC, use the save-password command in Internet Security Association Key Management Protocol (ISAKMP) group configuration mode. To disable the Save-Password attribute, use the no form of this command.

save-password

no save-password

Syntax Description

This command has no arguments or keywords.

Defaults

Your Xauth password is not saved locally on your PC, and the Save-Password attribute is not added to the server group profile.

Command Modes

ISAKMP group configuration

Command History

Release	Modification
12.3(2)T	This command was introduced.

Usage Guidelines

Save password control allows you to save your Xauth password locally on your PC so that after you have initially entered the password, the Save-Password attribute is pushed from the server to the client. On subsequent authentications, you can activate the password by using the tick box on the software client or by adding the username and password to the Cisco IOS hardware client profile. The password setting remains until the Save-Password attribute is removed from the server group profile. After the password has been activated, the username and password are sent automatically to the server during Xauth without your intervention.

The save-password option is useful only if your password is static, that is, if it is not a one-time password such as one that is generated by a token.

The Save-Password attribute is configured on a Cisco IOS router or in the RADIUS profile.

To configure save password control, use the save-password command.

An example of an attribute-value (AV) pair for the Save-Password attribute is as follows:

ipsec:save-password=1

You must enable the crypto isakmp client configuration group command, which specifies group policy information that has to be defined or changed, before enabling the save-password command.

---

Note•The Save-Password attribute can be applied only by a RADIUS user.

•The attribute can be applied on a per-user basis after the user has been authenticated.

•The attribute can override any similar group attributes.

•User-based attributes are available only if RADIUS is used as the database.

---

Examples

The following example shows that the Save-Password attribute has been configured:

crypto isakmp client configuration group cisco

 save-password

Related Commands

Command	Description
acl	Configures split tunneling.
crypto isakmp client configuration group	Specifies the DNS domain to which a group belongs.

Cisco IOS Bundles

Cisco IOS Packaging

Cisco IOS Packaging consists of eight packages for Cisco routers and five packages for Cisco switches. (See Figure 6.)

Figure 6—Cisco IOS Packaging for Cisco Routers and Switches

Four packages are designed to satisfy requirements in four typical service categories:

• IP data

• Converged voice and data

• Security and VPN

• Enterprise protocols

Three additional premium packages offer new Cisco IOS Software feature combinations that address more complex network requirements. All features merge in the Advanced Enterprise Services package that integrates support for all routing protocols with Voice, Security, and VPN capabilities.

Feature inheritance is another powerful aspect of Cisco IOS Packaging. After a feature is introduced, it is included in the more comprehensive packages. The feature inheritance facilitates migration by clarifying the feature content of the different packages and how they relate to each another.

Cisco IOS Packaging also simplifies image naming. Each name is designed to effectively convey the high-level feature content of, and the inheritance characteristics for the new packages.

These categories summarize the new naming convention:

• Base—entry level image (IP Base, Enterprise Base)

• Services—addition of IP Telephony Service, MPLS, Voice over IP (VoIP), Voice over Frame Relay (VoFR), and ATM (SP Services, Enterprise Services)

• Advanced—addition of VPN, Cisco IOS Firewall, 3DES encryption, SSH, Cisco IOS IPsec and Intrusion Detection Systems (IDS) (Advanced Security, Advanced IP Services)

• Enterprise—addition of multi-protocols, including IBM, IPX, AppleTalk (Enterprise Base, Enterprise Services)

These packages are new:

• IP Base

• IP Voice

• Enterprise Base

• Advanced Security

• SP Services

• Advanced IP Services

• Enterprise Services

• Advanced Enterprise Services

http://www.cisco.com/warp/public/620/1.html

Alias for CLI Access to the CUE

!creating an alias to enable CLI access to the CUE module much more easily.

! alias exec

!do a sh ip int brief and look for the service-engine or integrated service-engine number to fill in the proper one. It is usually 0/0 though.

!alias exec cue service-module service-Engine <Service-engine location> session

Examples:

alias exec cue service-module service-Engine 0/0 session

alias exec cue service-module integrated-Service-Engine 0/0 session

rtr#conf t

rtr(config)#alias exec cue service-module service-Engine 0/0 session

rtr(config)#end

rtr#cu?

*cue="service-module service-Engine 0/0 session"

rtr#cue

Trying 10.1.10.1, 2194 ... Open

rtrcue#

Rebooting Cisco Phones

http://www.cisco.com/en/US/docs/voice_ip_comm/cucme/command/reference/cme_r1ht.html#wp1013890

Note that when resetting or restarting phones, the phone will not be rebooted immediately if it is currently in use. Instead, it will be rebooted once the phone call is over. Thus, resetting or restarting should both be safe to do during business hours as long as call traffic is not high at that point in time.

reset (ephone)

To perform a complete reboot of a single phone associated with a Cisco CallManager Express (Cisco CME) router, use the reset command in ephone configuration mode.

reset

Syntax Description

This command has no arguments or keywords.

Command Default

No reset is performed.

Command Modes

Ephone configuration (config-ephone)

Command History

Cisco IOS Release	Cisco Product	Modification
12.1(5)YD	Cisco ITS 1.0	This command was introduced
12.2(8)T	Cisco ITS 2.0	This command was integrated into Cisco IOS Release 12.2(8)T

Usage Guidelines

After you update information for one or more phones associated with a Cisco CME router, the phone or phones must be rebooted. There are two commands to reboot the phones: reset and restart. The reset command performs a "hard" reboot similar to a power-off-power-on sequence. It reboots the phone and contacts the Dynamic Host Configuration Protocol (DHCP) server and the TFTP server to update from their information as well. The restart command performs a "soft" reboot by simply rebooting the phone without contacting the DHCP and TFTP servers. The reset command takes significantly longer to process than the restart command when you are updating multiple phones, but it must be used after updating phone firmware, user locale, network locale, or URL parameters. For simple button, line, or speed-dial changes, you can use the restart command.

Use the reset (ephone) command to perform a complete reboot of an IP phone when you are in ephone configuration mode. This command has the same effect as a reset (telephony-service) command that is used to reset a single phone.

This command has a no form, but the no form has no effect.

Examples

The following example resets the SCCP phone with a phone-tag of 1:

Router(config)# ephone 1

Router(config-ephone)# reset

Related Commands

	Description
reset (telephony-service)	Performs a complete reboot of one or all phones associated with a Cisco CME router.
restart (ephone)	Performs a fast reboot of a single phone associated with a Cisco CME router.
restart (telephony-service)	Performs a fast reboot of one or all phones associated with a Cisco CME router.

reset (telephony-service)

To perform a complete reboot of one or all phones associated with a Cisco CallManager Express (Cisco CME) router, use the reset command in telephony-service configuration mode. To interrupt and cancel a sequential reset cycle, use the no form of the command with the sequence-all keyword.

reset {all [time-interval] | cancel | mac-address | sequence-all}

no reset {all [time-interval] | cancel | mac-address | sequence-all}

Syntax Description

all	Resets all Cisco IP phones served by the Cisco CME router. The router pauses for 15 seconds between the reset starts for each successive phone unless the time-interval argument is used to change that value.
time-interval	(Optional) Time interval, in seconds, between each phone reset. Range is from 0 to 60. Default is 15.
cancel	Interrupts a sequential reset cycle that was started with a reset sequence-all command.
mac-address	MAC address of a particular Cisco IP phone.
sequence-all	Resets all phones in strict one-at-a-time order by waiting for one phone to reregister before starting the reset for the next phone. The sequencing of resets prevents possible conflicts between phones trying to access TFTP services simultaneously. There is a reset timeout of 4 minutes, after which the router stops waiting for the currently registering phone to complete registration and starts to reset the next phone.

Command Default

No reset is performed.

Command Modes

Telephony-service configuration (config-telephony)

Command History

Cisco IOS Release	Cisco Product	Modification
12.1(5)YD	Cisco ITS 1.0	This command was introduced.
12.2(8)T	Cisco ITS 2.0	This command was integrated into Cisco IOS Release 12.2(8)T.
12.2(11)YT	Cisco ITS 2.1	The time-interval range maximum was increased from 15 to 60 and the default was changed from 0 to 15.
12.2(11)YT1	Cisco ITS 2.1	The cancel and sequence-all keywords were introduced.
12.2(15)T	Cisco ITS 2.1	This command was integrated into Cisco IOS Release 12.2(15)T.

Usage Guidelines

After you update information for one or more phones associated with a Cisco CME router, the phone or phones must be rebooted using either the reset command or the restart command. The reset command performs a "hard" reboot similar to a power-off-power-on sequence and contacts the Dynamic Host Configuration Protocol (DHCP) server and the TFTP server for updated information as well. The restart command performs a "soft" reboot by simply rebooting the phone without contacting the DHCP and TFTP servers. The reset command takes significantly longer to process than the restart command when you are updating multiple phones, but it must be used after you make changes to phone firmware, user locale, network locale, or URL parameters. For simple button, line, or speed-dial changes, you can use the restart command.

When you use the reset command, the default time interval of 15 seconds is recommended so that phone reset operations are staggered in order to avoid all phones attempting to access router system resources at the same time. A shorter interval may be used on systems with only a small number of phones or for cases where a simple reset of the phones is desired that does not result in the phones downloading updates to the phone firmware (using the router's TFTP service).

When you use the reset sequence-all command, the router waits for one phone to complete its reset and reregister before starting to reset the next phone. The delay provided by this command prevents multiple phones from attempting to access the TFTP server simultaneously and therefore failing to reset properly. Each reset operation can take several minutes when you use this command. There is a reset timeout of 4 minutes, after which the router stops waiting for the currently registering phone to complete registration and starts to reset the next phone.

If the router configuration is changed so that the eXtensible Markup Language (XML) configuration files for the phones are modified (changes are made to user locale, network locale, or phone firmware), then whenever you use the reset all or restart all command, the router automatically executes the reset sequence-all command instead. The reset sequence-all command resets phones one at a time in order to prevent multiple phones from trying to contact the TFTP server simultaneously. This one-at-a-time sequencing can take a long time if there are many phones. To avoid this automatic behavior, use the reset all time-interval or the restart all time-interval with an explicit argument that is not equal to the default 15-second time interval; for example, set a time interval of 14 seconds. If a reset sequence-all command has been started in error, use the reset cancel command to interrupt and cancel the sequence of resets.

The restart command allows the system to perform quick phone resets in which only the button template, line information, and speed-dial information is updated. See the documentation for the restart command for more information.

The no form of this command has an effect only when used with the all or sequence-all keyword, when it interrupts and cancels the sequential resetting of phones.

Examples

The following example resets all IP phones served by the Cisco CME router:

Router(config)# telephony-service

Router(config-telephony)# reset all

The following example resets the Cisco IP phone with the MAC address CFBA.321B.96FA:

Router(config)# telephony-service

Router(config-telephony)# reset CFBA.321B.96FA

The following example resets all IP phones in sequential, not-overlapping order:

Router(config)# telephony-service

Router(config-telephony)# reset sequence-all

Related Commands

	Description
reset (ephone)	Performs a complete reboot of a single phone associated with a Cisco CME router.
restart (ephone)	Performs a fast reboot of a single phone associated with a Cisco CME router.
restart (telephony-service)	Performs a fast reboot of one or all phones associated with a Cisco CME router.
telephony-service	Enters telephony-service configuration mode.