AFAIK it's just x-auth. I'm not sure what the 'hybrid' method is, never used it. However the 'xauth' method is a default parameter in the 'DefaultRAGroup' tunnel-group and tells the ASA to authenticate users via extended auth after group authentication completes. Changing the method to 'none' would log a user in as soon as the group id and PSK match. I suspect that the hybrid method has something to do with xauth based on certificate values, just a guess however.
Regards, Buck Wallander On Mon, Oct 4, 2010 at 7:26 AM, Kingsley Charles <[email protected] > wrote: > Hi all > > I am trying to understand the purpose of *"isakmp > ikev1-user-authentication".* > > When a tunnel-group is configured for *"isakmp ikev1-user-authentication"*, > then the ASA first authenticates itself by presenting a cert and then the > client is prompted for username/password. > Am I right? > > As per the guidelines and the O/P, both trustpoint and pre-shared are > required for isakmp ikev1-user-authentication. Why is pre-shared key > mandatory? Can't cert be used for the ISAKMP authentication > > Please clarify. > > asa2(config-tunnel-ipsec)# isakmp ikev1-user-authentication hybrid > ERROR: Add a valid pre-shared key to configure Hybrid Auth. > > asa2(config-tunnel-ipsec)# isakmp ikev1-user-authentication hybrid > ERROR: Add a valid trust point to configure Hybrid Auth. > > With regards > Kings > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
