vpn authentication and authorization using pix 7.2 and acs

Unanswered Question
Mar 10th, 2007

hi , i am using a pix 7.2 and acs 3.2.. i want to perform remote access vpn authentication n authorization thrgh aaa using radius..i am abl to use it when i am using local group policy on pix, but i am nt able to do it using acs. i was trying to use cisco avpair to send the parameters but its nt happening.some body please tell me the steps to proceed .

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Vivek Santuka Sat, 03/10/2007 - 05:48


What attributes are you trying to push ?

does the aaa server get any hits when trying to authenticate ?



diptanshusingh Sat, 03/10/2007 - 05:52

hi vivek, i am successfully able to authenticate thrgh acs, and clients are also geting the ip address from the acs ip pool defined.. the problem is i was trying to push mode cfg attributes like ipsec:firewall=0, ipsec:pfs=1 etc.. thrgh cisco avpair radius attributes..but its nt happening

diptanshusingh Sat, 03/10/2007 - 06:03

hi below is the desired config related to aaa on pix..

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp nat-traversal 20

access-list nonat extended permit ip

nat (inside) 0 access-list nonat

aaa-server Radius protocol radius

aaa-server Radius (inside) host

key xxxxxx

tunnel-group ciscovpn type ipsec-ra

tunnel-group ciscovpn general-attributes

authentication-server-group Radius

authentication-server-group (inside) Radius

authorization-server-group Radius

tunnel-group ciscovpn ipsec-attributes

pre-shared-key *

diptanshusingh Sat, 03/10/2007 - 06:46

hi vivek , i had also tried that i had made one external group with name guest_group and a password of guest.. i mapped it into my tunnel-group. now in acs vpn users belong to guest_group only, in that i defined these cisco av pair attributes:

vpngroup Password = "guest", Service-Type = Outbound



Vivek Santuka Sat, 03/10/2007 - 07:04


You would need to push attributes like client firewall, Split Tunneling Policy etc using attributes available under the RADIUS (VPN 3000/asa/pix 7.x+)

You can find all attributes under Interface configuration->RADIUS (Cisco VPN 3000/ASA/PIX 7.x+)

So instead of using cisco av-pair (026/009/001) you need to use pre defined attributes like 026/3076/001.



diptanshusingh Sat, 03/10/2007 - 07:06

yeah thanks , for ur reply i found in the guide that for older versions of acs other than 4.0 , we have to push vpn conc attributes.. this is not applied for acs 4.0..

loverprince Mon, 03/12/2007 - 00:12

I am facing almost the same problem.

I need to authenticate my remote clients to ASA through ACS.

remote vpn is working fine using the local username, but authentication through ACS is not working with me.

I have added my asa as an aaa client in the ACS.

and my configs in the asa :

aaa-server vpn protocol tacacs+

aaa-server vpn host x.x.x.x

key ****

tunnel-group RemoteTunnel general-attributes

authentication-server-group (inside) Radius

authorization-server-group Radius

any dieas?

diptanshusingh Mon, 03/12/2007 - 01:25

hi u have to attach external group policy to the tunnel group for doing the external acs authentication .. and the grp name shld be the username on the acs , bcz acs sees it as a username being to be the authenticated...

Vivek Santuka Mon, 03/12/2007 - 06:10


External authentication does not require an external group. External group is required when you want to push group policies from the Radius Server.

We can have an internal group forward auth request to the Radius server.

You need to change your config as follows :-

aaa-server vpn protocol radius

aaa-server vpn host x.x.x.x

tunnel-group RemoteTunnel general-attributes

authentication-server-group vpn

Make sure that you have added the ASA as a aaa client in ACS and set it to authenticate using RADIUS.




diptanshusingh Mon, 03/12/2007 - 21:16

yeah he is right,,,for external authentication we need only to attach aaa server to the tunnel group..if we want to push some attributes to the client then we need to to do the above.. srry i thght that u want to have authorization also..

dpatkins Fri, 03/16/2007 - 07:59

Please go on about the authorization on the pix. I have a group ACS group DEB that I mapped to an NT group DEB. I can authenticate to a pix using through VPN, if I am assigned that NT group, but I can also authenticate if I am not part of the DEB group using the same DEB.pcf. I was hoping that the group mapping would be my solution, but that is not the case.

Elaborate a tad on the authorization setup on a pix please.

Thank you


Vivek Santuka Fri, 03/16/2007 - 08:19


Group mapping would really not be the answer for your problem.

What you will have to do is configure NARs on all groups of ACS which do not need access to the pix. On the NAR deny access to the pix.



dpatkins Fri, 03/16/2007 - 08:22

And setting up the NAR will allow me to use group mapping as well?

I am told that Dynamic ACLs are the way I need to go because if the person who is not on the NT Group logs into the VPN and is part of the default group, then they will be authenticated to the Pix.

I think group mapping via NT and ACS are hosed and authorization in radius is not working as described.



Vivek Santuka Fri, 03/16/2007 - 08:34


Dynamic ACLs will allow the user to get in but at max you can stop him from going anywhere after logging in.

NAR will deny the user access to the vpn all together.

ACS is working as designed. We need to configure authorization as req. and that is what you can do using ACLs or NARs




This Discussion