Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
488
Views
5
Helpful
3
Replies

Configure PIX to use both TACACS and RADIUS for VPN

Go to solution
dlitteer
Level 1
Level 1

‎07-09-2007 05:54 AM - edited ‎03-10-2019 03:15 PM

PIX 506E using ver 6.3: Whenever I add the command "crypto map mymap client authentication PARTNERAUTH" it removes the current TACACS+ client authentication. I need to have both until I've finished testing the radius server. Can I add an additional crypto map designation command to accomodate and use both the current TACACS+ (ACS) and RADIUS?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jagdeep Gambhir
Level 10
Level 10
In response to dlitteer

‎07-09-2007 09:59 AM

Hi,

You would need a down time to test it.

Regards,

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jagdeep Gambhir
Level 10
Level 10

‎07-09-2007 06:14 AM

Hi,

Unfortunately what you want to do cannot be done on the pix, let's say that you have

multiple vpn groups on your firewall, as soon as you apply the following command:

crypto map mymap client authentication partnerauth

where parnerauth can a radius, tacacs, tacacs+ or an ACS server:

aaa-server partnerauth protocol radius

aaa-server partnerauth (inside) host 172.18.124.196 cisco123

As soon as you use "crypto map mymap client authentication partnerauth" the authentication

is applied globally on the crytpmap, thus affecting all the vpn groups configured.

You can have multiple vpn groups running on your firewall (dynamic crypto maps) but you

need to associate them to a static crypto map ( crypto dynamic-map dynmap 10 set

transform-set myset).

You can only have 1 crypto map applied to one interface, when you apply this line:

"crypto map mymap client authentication partnerauth"

The authentication is applied to ALL the clients, we cannot separate the extended

authentication based on the vpn group or ip address.

Please rate if that helps !

Regards,

~JG

Go to solution
dlitteer
Level 1
Level 1
In response to Jagdeep Gambhir

‎07-09-2007 06:34 AM

Thank you. I was trying to figure out a way to test RSA/Safeword security tokens using a Microsoft IAS Radius server while not affecting the current vpn users who connect through TACACS+

0 Helpful

Go to solution
Jagdeep Gambhir
Level 10
Level 10
In response to dlitteer

‎07-09-2007 09:59 AM

Hi,

You would need a down time to test it.

Regards,

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents