Max number of local AAA users on PIX 7.2?

Answered Question
Apr 5th, 2007
User Badges:

I know that this is a bad idea, but I have a customer that wants upwards of 200+ users put in the config of his PIX for use with VPN. What the customer wants, the customer gets... Unless, is that even possible? I can't find anything to tell me the max number of local users you can have.


Does anyone know what the max number of local users is for a PIX 515e running 7.2?


Thanks!

Correct Answer by srue about 10 years 1 month ago

Here is the PIX 7.2 configuration (relevant portion only). To configure IAS, google something like "IAS radius cisco".


the dollar sign ($) indicates variable names/fields (user defined names)


access-list $splittunnel_acl extended permit ip $local_network $vpn_dhcp_network

ip local pool vpn-pool $start_ip-$end_ip


aaa-server RADIUSVPN protocol radius

aaa-server RADIUSVPN host $192.168.x.y

timeout 5

key $shared_radius_key

aaa-server RADIUSVPN host $192.168.x.z (backup IAS server)

timeout 5

key $shared_radius_key

group-policy $group_name internal

group-policy $group_name attributes

wins-server value $192.168.x.x

dns-server value $192.168.x.x $192.168.x.y

vpn-idle-timeout 1440

split-tunnel-policy tunnelspecified

split-tunnel-network-list value $splittunnel_acl

default-domain value $local_domain

backup-servers $backup_vpn_server

crypto ipsec transform-set $transform_name esp-3des esp-sha-hmac

crypto dynamic-map $DYN_MAPNAME 10 set transform-set $transform_name


crypto map VPN 25 ipsec-isakmp dynamic $DYN_MAPNAME

crypto map VPN interface outside

crypto isakmp enable outside

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group DefaultRAGroup general-attributes

authentication-server-group (outside) RADIUS

tunnel-group $group_name type ipsec-ra

tunnel-group $group_name general-attributes

address-pool vpn-pool

authentication-server-group RADIUSVPN

default-group-policy $group_name

tunnel-group $group_name ipsec-attributes

pre-shared-key $psk


----------------

if you have regular crypto tunnels defined, place the dynamic map entry after those, otherwise strange things happen.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
David White Thu, 04/05/2007 - 07:26
User Badges:
  • Cisco Employee,

Hi Paul,


There is no software imposed limit on the number of users in the local database. So, in essence you are limited by the config size (and available space on flash to store the config).


But, we have not tested performance with very large local user databases. However, 200 users should be just fine.


Sincerely,


David.

srue Thu, 04/05/2007 - 09:40
User Badges:
  • Blue, 1500 points or more

sounds like the customer wants an administrative nightmare (:


I set up AAA/radius authentication for vpn users using microsoft's free IAS (internet authentication server). This way, remote users can use their domain login information to do xauth w/ the vpn client, and when they leave the company, removing/disabling their AD account, disables their vpn access. I've set this up successfully on both the vpn concentrator and PIX 6.3/7.x if you're interested.

paulhignutt Thu, 04/05/2007 - 10:29
User Badges:

I'm not sure they want to tie it into AD is the problem. However, I would like to see an example config if you wouldn't mind sharing it. My email is phignutt @ hotmail dot com


Thanks

Correct Answer
srue Sat, 04/07/2007 - 08:06
User Badges:
  • Blue, 1500 points or more

Here is the PIX 7.2 configuration (relevant portion only). To configure IAS, google something like "IAS radius cisco".


the dollar sign ($) indicates variable names/fields (user defined names)


access-list $splittunnel_acl extended permit ip $local_network $vpn_dhcp_network

ip local pool vpn-pool $start_ip-$end_ip


aaa-server RADIUSVPN protocol radius

aaa-server RADIUSVPN host $192.168.x.y

timeout 5

key $shared_radius_key

aaa-server RADIUSVPN host $192.168.x.z (backup IAS server)

timeout 5

key $shared_radius_key

group-policy $group_name internal

group-policy $group_name attributes

wins-server value $192.168.x.x

dns-server value $192.168.x.x $192.168.x.y

vpn-idle-timeout 1440

split-tunnel-policy tunnelspecified

split-tunnel-network-list value $splittunnel_acl

default-domain value $local_domain

backup-servers $backup_vpn_server

crypto ipsec transform-set $transform_name esp-3des esp-sha-hmac

crypto dynamic-map $DYN_MAPNAME 10 set transform-set $transform_name


crypto map VPN 25 ipsec-isakmp dynamic $DYN_MAPNAME

crypto map VPN interface outside

crypto isakmp enable outside

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group DefaultRAGroup general-attributes

authentication-server-group (outside) RADIUS

tunnel-group $group_name type ipsec-ra

tunnel-group $group_name general-attributes

address-pool vpn-pool

authentication-server-group RADIUSVPN

default-group-policy $group_name

tunnel-group $group_name ipsec-attributes

pre-shared-key $psk


----------------

if you have regular crypto tunnels defined, place the dynamic map entry after those, otherwise strange things happen.

Actions

This Discussion