06-07-2007 10:20 PM
Helo,
I have working environment with PIX 6.3 and remote VPN clients 4.x.
Authentication and IP assignmnet are done localy via the following commands
crypto map outside_map client authentication LOCAL
ip local pool
Now our customer wants to implement Cisco ACS.
Users can authenticate via ACS Radius, but how can ACS Radius assign IP address to VPN clients.
Which command must i setup on PIX and what is the procedure for ACS Radius ?
Best regards
Mark
06-08-2007 02:11 AM
Hi Mark,
You need to enable Radius/TACACS+ protocol in your PIX device and then configure the IP Address of the host where your ACS is running up.
Here are the commands:
PIX(config)#aaa-server
radius
PIX(config)#aaa-server
*keystring is nothing like a password to access the ACS server running at the location x.x.x.x y.y.y.y
Finally, change the client authentication method from LOCAL to radius.
The command to do is:
PIX(config)#crypto map
After configuring the PIX box, Install the ACS at the respective location.ACS will allow you to create user account and grouping of users,configuring user credential etc., there you will find a option to define the range of IP addresses for the VPN clients.
Once a VPN client is authenticated by the ACS server,it allocate a ip to the client from it's configured range.
Please rate all helpful posts.
--Jaffer
06-12-2007 12:08 AM
I configure exatcly as you said.
But what about pool.
a) if i remove this command no ip address is assigned to client; I assigned IP address in ACS section "client ip address assignemnet"
vpngroup vgroup1 address-pool vpnpoool (vpnpool is defined as local pool)
b)
vpngroup vgroup1 address-pool ACSpoool
if i configure this command, i received error
"no local pool configured"
06-12-2007 01:26 AM
Hi,
Those two commands are not necessary.
a)No need to create a pool of IP address in PIX device since you would have already configured in ACS server.
b)It will definitely throw error b'coz 'ACSpool' is configured in the ACS server and not in the PIX device.
As I mentioned earlier remove these two commands and check whether VPN client users are authenticated by the ACS server or not.
After the successful authentication, ACS will assign a ip adderss from the Pool 'ACSPool'.
If there is a problem in the authentication itself, check the 'aaa-server' configuration commands.
Revert me back if you have any further issues.
--Jaffer
06-12-2007 01:35 AM
Hope you would have created username/password for the VPN users in ACS server.
--Jaffer
06-13-2007 05:01 AM
I successfully autheticate, but still not received IP address. I try with the following settinng on ACS (user or group properties)
-Assign static IP address
-Assigned by AAA client pool
-Assigned from AAA pool
1) config of my PIX
vpngroup SiingVPN default-domain mura.si
vpngroup SiingVPN idle-time 1800
vpngroup SiingVPN password ********
aaa-server ACSMURA protocol radius
aaa-server ACSMURA max-failed-attempts 3
aaa-server ACSMURA deadtime 10
aaa-server ACSMURA (outside) host 84.255.228.142 PIXmuratoACS2007 timeout 10
crypto map outside_map client authentication ACSMURA
2)error on VPN client
2 14:47:38.921 06/13/07 Sev=Warning/2 IKE/0xE3000023
No private IP address was assigned by the peer
3 14:47:38.921 06/13/07 Sev=Warning/2 IKE/0xE300009B
Failed to process ModeCfg Reply (NavigatorTM:175)
10-19-2007 06:08 AM
Marko, my name is Guzmán from Uruguay. I'm having the same problem that you and I want to know if you can solve it. If that, can you say me how resolve the problem?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: