Tacack, "none" disables xuath. With respect to CCIE lab, we do use "*isakmp ikev1-user-authentication none".* When we configure ASA EzVPN server for Per user AAA download, we configure "*isakmp ikev1-user-authentication none" *which disables xauth and then configure "authorization-server-group" and "username-from-certificate" in the general settings.
With this the remote client is not prompted for username/password. The parameter configured in "username-from-certificate" is used for authentication which is sent to RADIUS server. With regards Kings On Tue, Oct 5, 2010 at 11:17 AM, Vybhav Ramachandran <[email protected]>wrote: > Hello Kings, > > Thanks for the link. This has been my understanding till date. I think it's > wrong, but here i go anyways : > > - *xauth * -> Here, after the IKE Phase 1 exchange and after the > proposal has been accepted, the ASA prompts the user for entering a > username > and a password for the xauth process. > - *none *-> Here, the ASA does'nt prompt the user for xauth but > instead looks into the user's certificate to fetch the credentials which > can > act as the xauth username/password. > - *hybrid *-> No clue, but looks like the ASA follows both option1 and > 2? > > Cheers, > TacACK >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
