I have several Pix501's running 6.3 and several 871s and 881s which are in a hub and spoke design with my ASA5520 being the hub. Every 501 and spoke router has a ezvpn connection back to the hub in which it tunnels all traffic to my corporate office. The tunnels are working perfectly.
I want to require network staff to authenicate to a Microsoft IAS radius box when ever they attempt to gain access to one of the routers or PIX devices. If the tunnel is down, then it should default to local authenication.
I have the 871 and 881's working in this fashion. As long as the tunnel is up and operating any attempts to telnet os SSH into one of these decives requires authenication to the IAS server which is located at the hub.
My problem is that I can not figure out the commands to place on the PIX501's to allow both Radius athenication while the tunnel is active and local when it is not. Also, The routers identify themselves to the radius server by thier inside IP address. How can I have the PIX reach across the ezvpn tunnel, identify it self to the radious server as it's inside address and then recieve the athenication information.