One VPN group to use radius

richard.gosling · ‎07-17-2008

HELP ME!!

I going mad with this one.

I have 2 dynamic vpn's ( for clients )

I cannot get one of the vpngroups to use radius for authentication.

5220 · ‎07-17-2008

Here you go:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949ba.shtml

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800946b7.shtml

Please rate if this helped.

Regards,

Daniel

richard.gosling · ‎07-17-2008

sorry pix 6.3

richard.gosling · ‎07-17-2008

Here is the config how do I get HAWRADIUS to use Radius

test-pix-gw# sh run

access-list outside_cryptomap_dyn_121 permit ip any 192.168.7.0 255.255.255.0

access-list outside_cryptomap_dyn_141 permit ip any 192.168.6.0 255.255.255.0

access-list outside_cryptomap_dyn_161 permit ip any 192.168.7.0 255.255.255.0

aaa-server radius-authport 1812

aaa-server radius-acctport 1813

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

aaa-server HAWRADIUS protocol radius

aaa-server HAWRADIUS max-failed-attempts 3

aaa-server HAWRADIUS deadtime 10

aaa-server HAWRADIUS (inside) host *.*.*.* cisco timeout 5

aaa authentication ssh console LOCAL

sysopt connection permit-ipsec

sysopt connection permit-pptp

crypto ipsec transform-set pix esp-des esp-md5-hmac

crypto dynamic-map dyn-pix 101 set transform-set pix

crypto dynamic-map dyn-pix 121 match address outside_cryptomap_dyn_121

crypto dynamic-map dyn-pix 121 set transform-set pix

crypto dynamic-map dyn-pix 141 match address outside_cryptomap_dyn_141

crypto dynamic-map dyn-pix 141 set transform-set pix

isakmp enable outside

isakmp identity address

isakmp keepalive 10

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup homeclient address-pool vpnpool

vpngroup homeclient dns-server *.*.*.*

vpngroup homeclient wins-server *.*.*.*

vpngroup homeclient default-domain

vpngroup homeclient split-tunnel 101

vpngroup homeclient idle-time 1800

vpngroup homeclient password ********

vpngroup ThirdParty address-pool vpnpool2

vpngroup ThirdParty dns-server *.*.*.*

vpngroup ThirdParty wins-server *.*.*.*

vpngroup ThirdParty default-domain

vpngroup ThirdParty split-tunnel 101

vpngroup ThirdParty idle-time 1800

vpngroup ThirdParty password ********

vpngroup HAWRADIUS address-pool vpnpool

vpngroup HAWRADIUS dns-server *.*.*.*

vpngroup HAWRADIUS wins-server *.*.*.*

vpngroup HAWRADIUS default-domain

vpngroup HAWRADIUS split-tunnel 101

vpngroup HAWRADIUS idle-time 1800

vpngroup HAWRADIUS authentication-server HAWRADIUS

vpngroup HAWRADIUS password ********

5220 · ‎07-17-2008

There's one command:

crypto map dyn-pix client authentication HAWRADIUS

However, this might require ALL groups to authenticate using Radius.

Anyway, to check the Radius messages:

debug aaa events

debug aaa packets

debug aaa authentication

Please rate if this helped.

Regards,

Daniel

srue · ‎07-17-2008

i was thinking the 'no xauth' command was for this, but that's for site2site vpn's when used with remote access vpns on the same device/interface.

i'm not sure there's a way to do this on 6.3. i'm pretty sure this is easily doable on 7.x and later though using group-policies.

richard.gosling · ‎07-17-2008

Thanks

glad I'm not going mad!!