Friday, January 29, 2010

Saving Your Password in the Cisco VPN Client

It has always been frustrating to have to login to the VPN with a password everytime I have to connect to a client site to check something. Here is how to enable your client to save the password locally on your computer.

First, we need to enable the option on the router or ASA.
  1. Connect to the device
  2. Check your VPN group name if necessary by doing a 'show run | include crypto isakmp client configuration group'. You should see 'crypto isakmp client configuration group '.
  3. Enter config mode
  4. Enter ISAKMP group configuration mode for the appropriate isakmp group by typing 'crypto isakmp client configuration group <YourVPNGroup>'
  5. Add the command 'save-password'
  6. Example:
    rtr#config t
    rtr(config)#crypto isakmp client configuration group MyVPNGroup
    rtr(config-isakmp-group)# save-password
    rtr(config-isakmp-group)#end
Now connect your VPN client to the device, inputting your username and password as normal. The device should automatically push the privilege to save the password to your VPN client software once you are successfully connected.

Now disconnect the session. Wait a few seconds and reconnect. You should now see the Save Password checkbox in the VPN connection window. Check this box. Input your password for the last time and hit connect.

Your password should now be saved in your VPN client settings and you should no longer need to input it when connecting to this device. Verify that this is working by disconnecting and reconnecting one more time. Then save the config with a wr mem if everything looks good.

A Show Run should show you something like this now for your VPN group. Note that the save-password option is there now.
crypto isakmp client configuration group <YourVPNGroup>
key
dns
save-password pool
acl
save-password
include-local-lan
max-users 5
netmask 255.255.255.0


Cisco Documentation

save-password


To save your extended authentication (Xauth) password locally on your PC, use the save-password command in Internet Security Association Key Management Protocol (ISAKMP) group configuration mode. To disable the Save-Password attribute, use the no form of this command.

save-password

no save-password

Syntax Description

This command has no arguments or keywords.

Defaults

Your Xauth password is not saved locally on your PC, and the Save-Password attribute is not added to the server group profile.

Command Modes

ISAKMP group configuration

Command History


Release
Modification

12.3(2)T

This command was introduced.


Usage Guidelines

Save password control allows you to save your Xauth password locally on your PC so that after you have initially entered the password, the Save-Password attribute is pushed from the server to the client. On subsequent authentications, you can activate the password by using the tick box on the software client or by adding the username and password to the Cisco IOS hardware client profile. The password setting remains until the Save-Password attribute is removed from the server group profile. After the password has been activated, the username and password are sent automatically to the server during Xauth without your intervention.

The save-password option is useful only if your password is static, that is, if it is not a one-time password such as one that is generated by a token.

The Save-Password attribute is configured on a Cisco IOS router or in the RADIUS profile.

To configure save password control, use the save-password command.

An example of an attribute-value (AV) pair for the Save-Password attribute is as follows:

ipsec:save-password=1



You must enable the crypto isakmp client configuration group command, which specifies group policy information that has to be defined or changed, before enabling the save-password command.


NoteThe Save-Password attribute can be applied only by a RADIUS user.

The attribute can be applied on a per-user basis after the user has been authenticated.

The attribute can override any similar group attributes.

User-based attributes are available only if RADIUS is used as the database.


Examples

The following example shows that the Save-Password attribute has been configured:

crypto isakmp client configuration group cisco

 save-password

Related Commands


Command
Description

acl

Configures split tunneling.

crypto isakmp client configuration group

Specifies the DNS domain to which a group belongs.

No comments: