First, we need to enable the option on the router or ASA.
- Connect to the device
- Check your VPN group name if necessary by doing a 'show run | include crypto isakmp client configuration group'. You should see 'crypto isakmp client configuration group
'. - Enter config mode
- Enter ISAKMP group configuration mode for the appropriate isakmp group by typing 'crypto isakmp client configuration group <YourVPNGroup>'
- Add the command 'save-password'
- Example:
rtr#config t
rtr(config)#crypto isakmp client configuration group MyVPNGroup
rtr(config-isakmp-group)# save-password
rtr(config-isakmp-group)#end
Now disconnect the session. Wait a few seconds and reconnect. You should now see the Save Password checkbox in the VPN connection window. Check this box. Input your password for the last time and hit connect.
Your password should now be saved in your VPN client settings and you should no longer need to input it when connecting to this device. Verify that this is working by disconnecting and reconnecting one more time. Then save the config with a wr mem if everything looks good.
A Show Run should show you something like this now for your VPN group. Note that the save-password option is there now.
crypto isakmp client configuration group <YourVPNGroup>
key
dns
acl
save-password
include-local-lan
max-users 5
netmask 255.255.255.0
Cisco Documentation
save-password
To save your extended authentication (Xauth) password locally on your PC, use the save-password command in Internet Security Association Key Management Protocol (ISAKMP) group configuration mode. To disable the Save-Password attribute, use the no form of this command.
save-password
no save-password
Syntax Description
This command has no arguments or keywords.
Defaults
Your Xauth password is not saved locally on your PC, and the Save-Password attribute is not added to the server group profile.
Command Modes
ISAKMP group configuration
Command History
Usage Guidelines
Save password control allows you to save your Xauth password locally on your PC so that after you have initially entered the password, the Save-Password attribute is pushed from the server to the client. On subsequent authentications, you can activate the password by using the tick box on the software client or by adding the username and password to the Cisco IOS hardware client profile. The password setting remains until the Save-Password attribute is removed from the server group profile. After the password has been activated, the username and password are sent automatically to the server during Xauth without your intervention.
The save-password option is useful only if your password is static, that is, if it is not a one-time password such as one that is generated by a token.
The Save-Password attribute is configured on a Cisco IOS router or in the RADIUS profile.
To configure save password control, use the save-password command.
An example of an attribute-value (AV) pair for the Save-Password attribute is as follows:
ipsec:save-password=1
You must enable the crypto isakmp client configuration group command, which specifies group policy information that has to be defined or changed, before enabling the save-password command.
Note•The Save-Password attribute can be applied only by a RADIUS user.
•The attribute can be applied on a per-user basis after the user has been authenticated.
•The attribute can override any similar group attributes.
•User-based attributes are available only if RADIUS is used as the database.
Examples
The following example shows that the Save-Password attribute has been configured:
crypto isakmp client configuration group cisco
save-password
Related Commands
Command | Description |
---|---|
acl | Configures split tunneling. |
crypto isakmp client configuration group | Specifies the DNS domain to which a group belongs. |
No comments:
Post a Comment