If you look at the following info, it seems that initially ASA itself authenticates using PKI and establishes an Unidirectional SA which is used to authenticate the remote client using one of the xuath methods
Snippet from http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/i3_72.html#wp1731892 You use this command when you need to use digital certificates for security appliance authentication and a different, legacy method for remote VPN user authentication, such as RADIUS, TACACS+ or SecurID. This command breaks phase 1 of IKE down into the following two steps, together called hybrid authentication: *1.*The security appliance authenticates to the remote VPN user with standard public key techniques. This establishes an IKE security association that is unidirectionally authenticated. *2.*An XAUTH exchange then authenticates the remote VPN user. This extended authentication can use one of the supported legacy authentication methods. With regards Kings On Mon, Oct 4, 2010 at 9:12 PM, Buck Wallander <[email protected]> wrote: > AFAIK it's just x-auth. I'm not sure what the 'hybrid' method is, never > used it. However the 'xauth' method is a default parameter in the > 'DefaultRAGroup' tunnel-group and tells the ASA to authenticate users via > extended auth after group authentication completes. Changing the method to > 'none' would log a user in as soon as the group id and PSK match. > I suspect that the hybrid method has something to do with xauth based on > certificate values, just a guess however. > > Regards, > Buck Wallander > > On Mon, Oct 4, 2010 at 7:26 AM, Kingsley Charles < > [email protected]> wrote: > >> Hi all >> >> I am trying to understand the purpose of *"isakmp >> ikev1-user-authentication".* >> >> When a tunnel-group is configured for *"isakmp ikev1-user-authentication" >> *, then the ASA first authenticates itself by presenting a cert and then >> the client is prompted for username/password. >> Am I right? >> >> As per the guidelines and the O/P, both trustpoint and pre-shared are >> required for isakmp ikev1-user-authentication. Why is pre-shared key >> mandatory? Can't cert be used for the ISAKMP authentication >> >> Please clarify. >> >> asa2(config-tunnel-ipsec)# isakmp ikev1-user-authentication hybrid >> ERROR: Add a valid pre-shared key to configure Hybrid Auth. >> >> asa2(config-tunnel-ipsec)# isakmp ikev1-user-authentication hybrid >> ERROR: Add a valid trust point to configure Hybrid Auth. >> >> With regards >> Kings >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
