In article , Al wrote: :I would like to know if there is a way to authenticate users who try to :access a VPN tonnel using local usernames (no RADIUS). What I am trying :to accomplish: remote office with PIX, there is a VPN tonnel to :central office, all users are allowed to connect to internet and only :ones that should can access VPN tonnel.
Not that I can think of. RADIUS or TACACS+ would allow you to use different ACLs for different users, but there is nothing in the local user database for attaching attributes, and there is no mechanism associated with VPN tunnels for transfering local username information over the tunnel to be checked at the other end.
I gather that the authorized users either do not have fixed IPs, or sometimes have to access from alternate internal locations -- or perhaps that you trust the PIX local-username authentication mechanism more than you trust the other users not to spoof an IP address? [The local-username mechanism uses cleartext unless you are using the new https authentication, so local usernames are vulnerable to all the regular sniffing techniques.]