Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Configure PIX to use both TACACS and RADIUS for VPN

PIX 506E using ver 6.3: Whenever I add the command "crypto map mymap client authentication PARTNERAUTH" it removes the current TACACS+ client authentication. I need to have both until I've finished testing the radius server. Can I add an additional crypto map designation command to accomodate and use both the current TACACS+ (ACS) and RADIUS?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Configure PIX to use both TACACS and RADIUS for VPN

Hi,

You would need a down time to test it.

Regards,

3 REPLIES

Re: Configure PIX to use both TACACS and RADIUS for VPN

Hi,

Unfortunately what you want to do cannot be done on the pix, let's say that you have

multiple vpn groups on your firewall, as soon as you apply the following command:

crypto map mymap client authentication partnerauth

where parnerauth can a radius, tacacs, tacacs+ or an ACS server:

aaa-server partnerauth protocol radius

aaa-server partnerauth (inside) host 172.18.124.196 cisco123

As soon as you use "crypto map mymap client authentication partnerauth" the authentication

is applied globally on the crytpmap, thus affecting all the vpn groups configured.

You can have multiple vpn groups running on your firewall (dynamic crypto maps) but you

need to associate them to a static crypto map ( crypto dynamic-map dynmap 10 set

transform-set myset).

You can only have 1 crypto map applied to one interface, when you apply this line:

"crypto map mymap client authentication partnerauth"

The authentication is applied to ALL the clients, we cannot separate the extended

authentication based on the vpn group or ip address.

Please rate if that helps !

Regards,

~JG

New Member

Re: Configure PIX to use both TACACS and RADIUS for VPN

Thank you. I was trying to figure out a way to test RSA/Safeword security tokens using a Microsoft IAS Radius server while not affecting the current vpn users who connect through TACACS+

Re: Configure PIX to use both TACACS and RADIUS for VPN

Hi,

You would need a down time to test it.

Regards,

145
Views
5
Helpful
3
Replies
CreatePlease to create content