07-17-2008 08:32 AM
HELP ME!!
I going mad with this one.
I have 2 dynamic vpn's ( for clients )
I cannot get one of the vpngroups to use radius for authentication.
07-17-2008 08:36 AM
Here you go:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949ba.shtml
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800946b7.shtml
Please rate if this helped.
Regards,
Daniel
07-17-2008 08:44 AM
sorry pix 6.3
07-17-2008 08:54 AM
Here is the config how do I get HAWRADIUS to use Radius
test-pix-gw# sh run
access-list outside_cryptomap_dyn_121 permit ip any 192.168.7.0 255.255.255.0
access-list outside_cryptomap_dyn_141 permit ip any 192.168.6.0 255.255.255.0
access-list outside_cryptomap_dyn_161 permit ip any 192.168.7.0 255.255.255.0
aaa-server radius-authport 1812
aaa-server radius-acctport 1813
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server HAWRADIUS protocol radius
aaa-server HAWRADIUS max-failed-attempts 3
aaa-server HAWRADIUS deadtime 10
aaa-server HAWRADIUS (inside) host *.*.*.* cisco timeout 5
aaa authentication ssh console LOCAL
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set pix esp-des esp-md5-hmac
crypto dynamic-map dyn-pix 101 set transform-set pix
crypto dynamic-map dyn-pix 121 match address outside_cryptomap_dyn_121
crypto dynamic-map dyn-pix 121 set transform-set pix
crypto dynamic-map dyn-pix 141 match address outside_cryptomap_dyn_141
crypto dynamic-map dyn-pix 141 set transform-set pix
isakmp enable outside
isakmp identity address
isakmp keepalive 10
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup homeclient address-pool vpnpool
vpngroup homeclient dns-server *.*.*.*
vpngroup homeclient wins-server *.*.*.*
vpngroup homeclient default-domain
vpngroup homeclient split-tunnel 101
vpngroup homeclient idle-time 1800
vpngroup homeclient password ********
vpngroup ThirdParty address-pool vpnpool2
vpngroup ThirdParty dns-server *.*.*.*
vpngroup ThirdParty wins-server *.*.*.*
vpngroup ThirdParty default-domain
vpngroup ThirdParty split-tunnel 101
vpngroup ThirdParty idle-time 1800
vpngroup ThirdParty password ********
vpngroup HAWRADIUS address-pool vpnpool
vpngroup HAWRADIUS dns-server *.*.*.*
vpngroup HAWRADIUS wins-server *.*.*.*
vpngroup HAWRADIUS default-domain
vpngroup HAWRADIUS split-tunnel 101
vpngroup HAWRADIUS idle-time 1800
vpngroup HAWRADIUS authentication-server HAWRADIUS
vpngroup HAWRADIUS password ********
07-17-2008 09:13 AM
There's one command:
crypto map dyn-pix client authentication HAWRADIUS
However, this might require ALL groups to authenticate using Radius.
Anyway, to check the Radius messages:
debug aaa events
debug aaa packets
debug aaa authentication
Please rate if this helped.
Regards,
Daniel
07-17-2008 09:22 AM
i was thinking the 'no xauth' command was for this, but that's for site2site vpn's when used with remote access vpns on the same device/interface.
i'm not sure there's a way to do this on 6.3. i'm pretty sure this is easily doable on 7.x and later though using group-policies.
07-17-2008 09:34 AM
Thanks
glad I'm not going mad!!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: