Configure PIX to use both TACACS and RADIUS for VPN

Answered Question
Jul 9th, 2007

PIX 506E using ver 6.3: Whenever I add the command "crypto map mymap client authentication PARTNERAUTH" it removes the current TACACS+ client authentication. I need to have both until I've finished testing the radius server. Can I add an additional crypto map designation command to accomodate and use both the current TACACS+ (ACS) and RADIUS?

I have this problem too.
0 votes
Correct Answer by Jagdeep Gambhir about 9 years 5 months ago

Hi,

You would need a down time to test it.

Regards,

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Jagdeep Gambhir Mon, 07/09/2007 - 06:14

Hi,

Unfortunately what you want to do cannot be done on the pix, let's say that you have

multiple vpn groups on your firewall, as soon as you apply the following command:

crypto map mymap client authentication partnerauth

where parnerauth can a radius, tacacs, tacacs+ or an ACS server:

aaa-server partnerauth protocol radius

aaa-server partnerauth (inside) host 172.18.124.196 cisco123

As soon as you use "crypto map mymap client authentication partnerauth" the authentication

is applied globally on the crytpmap, thus affecting all the vpn groups configured.

You can have multiple vpn groups running on your firewall (dynamic crypto maps) but you

need to associate them to a static crypto map ( crypto dynamic-map dynmap 10 set

transform-set myset).

You can only have 1 crypto map applied to one interface, when you apply this line:

"crypto map mymap client authentication partnerauth"

The authentication is applied to ALL the clients, we cannot separate the extended

authentication based on the vpn group or ip address.

Please rate if that helps !

Regards,

~JG

dlitteer Mon, 07/09/2007 - 06:34

Thank you. I was trying to figure out a way to test RSA/Safeword security tokens using a Microsoft IAS Radius server while not affecting the current vpn users who connect through TACACS+

Actions

This Discussion