07-09-2007 05:54 AM - edited 03-10-2019 03:15 PM
PIX 506E using ver 6.3: Whenever I add the command "crypto map mymap client authentication PARTNERAUTH" it removes the current TACACS+ client authentication. I need to have both until I've finished testing the radius server. Can I add an additional crypto map designation command to accomodate and use both the current TACACS+ (ACS) and RADIUS?
Solved! Go to Solution.
07-09-2007 09:59 AM
07-09-2007 06:14 AM
Hi,
Unfortunately what you want to do cannot be done on the pix, let's say that you have
multiple vpn groups on your firewall, as soon as you apply the following command:
crypto map mymap client authentication partnerauth
where parnerauth can a radius, tacacs, tacacs+ or an ACS server:
aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host 172.18.124.196 cisco123
As soon as you use "crypto map mymap client authentication partnerauth" the authentication
is applied globally on the crytpmap, thus affecting all the vpn groups configured.
You can have multiple vpn groups running on your firewall (dynamic crypto maps) but you
need to associate them to a static crypto map ( crypto dynamic-map dynmap 10 set
transform-set myset).
You can only have 1 crypto map applied to one interface, when you apply this line:
"crypto map mymap client authentication partnerauth"
The authentication is applied to ALL the clients, we cannot separate the extended
authentication based on the vpn group or ip address.
Please rate if that helps !
Regards,
~JG
07-09-2007 06:34 AM
Thank you. I was trying to figure out a way to test RSA/Safeword security tokens using a Microsoft IAS Radius server while not affecting the current vpn users who connect through TACACS+
07-09-2007 09:59 AM
Hi,
You would need a down time to test it.
Regards,
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: