Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX remote access authentication

I have just inherited a corp network that uses a PIX 515e at each of three sites to create site-to-site VPN tunnels. This is working fine. I need to setup remote VPN access for individual users using the PIX at our main office. Is it possible to use RADIUS to authenticate some remote users and also authenticate other users using just a VPN group name and password (i.e. the client authenticates using the group name and password, but the user is not prompted to enter in a name/password). It seems as if this is a one or the other proposition. When I enable authentication using RADIUS, the group authentication stops working. Can I do both simultaneously? If so, can anyone offer any help to get started? Thanks.

4 REPLIES
New Member

Re: PIX remote access authentication

You can't use two different authentication methods for the same group. It is either one or the other.

New Member

Re: PIX remote access authentication

Clarification: I am using two different VPN groups. One group (called vpngroup1) will allow the client to authenticate just using the vpn group name and password. I'd also like to use a second VPN group (called vpngroup2) that would authenticate using both the vpn group name and password, and then prompt the user for a username and password to be authenticated by a RADIUS server.

I've been told that this can be done, but when I enable use of the RADIUS server, the clients in vpngroup1 are prompted also for their username and password.

How do I link the RADIUS authentication requirement to just one of the VPN groups?

Thanks.

New Member

Re: PIX remote access authentication

Yes, this can be done. I am currently doing that now. Post your config and I'll take a look at it.

New Member

Re: PIX remote access authentication

Attached is the working config with a single VPN group where the users are not prompted to provide username and password. Any efforts to enable AAA seem to disable the working remote access. The IP addresses shown below are obviously not legit. Any suggestions would be appreciated. Thanks in advance.

144
Views
0
Helpful
4
Replies
CreatePlease to create content