07-17-2008 08:32 AM
HELP ME!!
I going mad with this one.
I have 2 dynamic vpn's ( for clients )
I cannot get one of the vpngroups to use radius for authentication.
07-17-2008 08:36 AM
Here you go:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949ba.shtml
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800946b7.shtml
Please rate if this helped.
Regards,
Daniel
07-17-2008 08:44 AM
sorry pix 6.3
07-17-2008 08:54 AM
Here is the config how do I get HAWRADIUS to use Radius
test-pix-gw# sh run
access-list outside_cryptomap_dyn_121 permit ip any 192.168.7.0 255.255.255.0
access-list outside_cryptomap_dyn_141 permit ip any 192.168.6.0 255.255.255.0
access-list outside_cryptomap_dyn_161 permit ip any 192.168.7.0 255.255.255.0
aaa-server radius-authport 1812
aaa-server radius-acctport 1813
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server HAWRADIUS protocol radius
aaa-server HAWRADIUS max-failed-attempts 3
aaa-server HAWRADIUS deadtime 10
aaa-server HAWRADIUS (inside) host *.*.*.* cisco timeout 5
aaa authentication ssh console LOCAL
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set pix esp-des esp-md5-hmac
crypto dynamic-map dyn-pix 101 set transform-set pix
crypto dynamic-map dyn-pix 121 match address outside_cryptomap_dyn_121
crypto dynamic-map dyn-pix 121 set transform-set pix
crypto dynamic-map dyn-pix 141 match address outside_cryptomap_dyn_141
crypto dynamic-map dyn-pix 141 set transform-set pix
isakmp enable outside
isakmp identity address
isakmp keepalive 10
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup homeclient address-pool vpnpool
vpngroup homeclient dns-server *.*.*.*
vpngroup homeclient wins-server *.*.*.*
vpngroup homeclient default-domain
vpngroup homeclient split-tunnel 101
vpngroup homeclient idle-time 1800
vpngroup homeclient password ********
vpngroup ThirdParty address-pool vpnpool2
vpngroup ThirdParty dns-server *.*.*.*
vpngroup ThirdParty wins-server *.*.*.*
vpngroup ThirdParty default-domain
vpngroup ThirdParty split-tunnel 101
vpngroup ThirdParty idle-time 1800
vpngroup ThirdParty password ********
vpngroup HAWRADIUS address-pool vpnpool
vpngroup HAWRADIUS dns-server *.*.*.*
vpngroup HAWRADIUS wins-server *.*.*.*
vpngroup HAWRADIUS default-domain
vpngroup HAWRADIUS split-tunnel 101
vpngroup HAWRADIUS idle-time 1800
vpngroup HAWRADIUS authentication-server HAWRADIUS
vpngroup HAWRADIUS password ********
07-17-2008 09:13 AM
There's one command:
crypto map dyn-pix client authentication HAWRADIUS
However, this might require ALL groups to authenticate using Radius.
Anyway, to check the Radius messages:
debug aaa events
debug aaa packets
debug aaa authentication
Please rate if this helped.
Regards,
Daniel
07-17-2008 09:22 AM
i was thinking the 'no xauth' command was for this, but that's for site2site vpn's when used with remote access vpns on the same device/interface.
i'm not sure there's a way to do this on 6.3. i'm pretty sure this is easily doable on 7.x and later though using group-policies.
07-17-2008 09:34 AM
Thanks
glad I'm not going mad!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide