Cisco Support Community
Community Member

2 radius servers with CVPN Client

Hello I'm trying to get 2 sets of CVPN clients to authenticate with 2 different Radius servers without much success

The line below is mapped to the interface and will always push all users to that radius server, is there anyway round this

crypto map newmap client authentication win2k

I've pasted a cutdown config below, any help appreciated

ip local pool cucvpnpool

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa-server win2k protocol radius

aaa-server win2k (inside) host authme timeout 10

aaa-server mantonwood protocol radius

aaa-server mantonwood (inside) host authme timeout 10

sysopt connection permit-ipsec

sysopt connection permit-pptp

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map newmap 20 ipsec-isakmp dynamic dynmap

crypto map newmap 30 ipsec-isakmp

crypto map newmap 30 match address alphen

crypto map newmap 30 set peer

crypto map newmap 30 set transform-set myset

crypto map newmap client authentication win2k

(This pushes users to win2k Radius server)

crypto map newmap interface outside

isakmp enable outside

isakmp key ******** address x.x.x.x netmask no-xauth no-con


isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 3600

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 3600

vpngroup kiveton address-pool cucvpnpool

vpngroup kiveton idle-time 1800

vpngroup kiveton authentication-server win2k (This does nothing!!!)

vpngroup kivetonvpn password ********

vpngroup mantonwood address-pool cucvpnpool

vpngroup mantonwood idle-time 1800

vpngroup mantonwood authentication-server mantonwood ( This does nothing!!!)

vpngroup mantonwood password ********

vpngroup address-pool idle-time 1800


Re: 2 radius servers with CVPN Client


This command "vpngroup mantonwood authentication-server mantonwood " is meant only for IUA (HW vpn clients), not for software VPN clients.

Since we know that XAUTH has a scope within a crypto map (ie one XAUTH server per crypto map), and also that only one crypto map can be applied to one interface at a time, therefore you would need to use 2 crypto maps on 2 different interfaces to have it working with 2 different RADIUS server.



Community Member

Re: 2 radius servers with CVPN Client


Many thanks for the useful answer, back to the drawing board

Perhaps one Radius server can authenticate different usrs to differnent domains

Cheers Tony

Community Member

Re: 2 radius servers with CVPN Client

Did you find a solution to using multiple radius servers in different domains working behind the PIX?

I have similar issue with two domains (no trust) and a single PIX. In this case im using PPTP for VPN.

Cisco are currently looking at this for me.

CreatePlease to create content