One VPN group to use radius

Unanswered Question
Jul 17th, 2008

HELP ME!!

I going mad with this one.

I have 2 dynamic vpn's ( for clients )

I cannot get one of the vpngroups to use radius for authentication.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (2 ratings)
Loading.
richard.gosling Thu, 07/17/2008 - 08:54

Here is the config how do I get HAWRADIUS to use Radius

test-pix-gw# sh run

access-list outside_cryptomap_dyn_121 permit ip any 192.168.7.0 255.255.255.0

access-list outside_cryptomap_dyn_141 permit ip any 192.168.6.0 255.255.255.0

access-list outside_cryptomap_dyn_161 permit ip any 192.168.7.0 255.255.255.0

aaa-server radius-authport 1812

aaa-server radius-acctport 1813

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

aaa-server HAWRADIUS protocol radius

aaa-server HAWRADIUS max-failed-attempts 3

aaa-server HAWRADIUS deadtime 10

aaa-server HAWRADIUS (inside) host *.*.*.* cisco timeout 5

aaa authentication ssh console LOCAL

sysopt connection permit-ipsec

sysopt connection permit-pptp

crypto ipsec transform-set pix esp-des esp-md5-hmac

crypto dynamic-map dyn-pix 101 set transform-set pix

crypto dynamic-map dyn-pix 121 match address outside_cryptomap_dyn_121

crypto dynamic-map dyn-pix 121 set transform-set pix

crypto dynamic-map dyn-pix 141 match address outside_cryptomap_dyn_141

crypto dynamic-map dyn-pix 141 set transform-set pix

isakmp enable outside

isakmp identity address

isakmp keepalive 10

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup homeclient address-pool vpnpool

vpngroup homeclient dns-server *.*.*.*

vpngroup homeclient wins-server *.*.*.*

vpngroup homeclient default-domain

vpngroup homeclient split-tunnel 101

vpngroup homeclient idle-time 1800

vpngroup homeclient password ********

vpngroup ThirdParty address-pool vpnpool2

vpngroup ThirdParty dns-server *.*.*.*

vpngroup ThirdParty wins-server *.*.*.*

vpngroup ThirdParty default-domain

vpngroup ThirdParty split-tunnel 101

vpngroup ThirdParty idle-time 1800

vpngroup ThirdParty password ********

vpngroup HAWRADIUS address-pool vpnpool

vpngroup HAWRADIUS dns-server *.*.*.*

vpngroup HAWRADIUS wins-server *.*.*.*

vpngroup HAWRADIUS default-domain

vpngroup HAWRADIUS split-tunnel 101

vpngroup HAWRADIUS idle-time 1800

vpngroup HAWRADIUS authentication-server HAWRADIUS

vpngroup HAWRADIUS password ********

Daniel Voicu Thu, 07/17/2008 - 09:13

There's one command:

crypto map dyn-pix client authentication HAWRADIUS

However, this might require ALL groups to authenticate using Radius.

Anyway, to check the Radius messages:

debug aaa events

debug aaa packets

debug aaa authentication

Please rate if this helped.

Regards,

Daniel

srue Thu, 07/17/2008 - 09:22

i was thinking the 'no xauth' command was for this, but that's for site2site vpn's when used with remote access vpns on the same device/interface.

i'm not sure there's a way to do this on 6.3. i'm pretty sure this is easily doable on 7.x and later though using group-policies.

Actions

This Discussion