cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
473
Views
0
Helpful
4
Replies

Max number of local AAA users on PIX 7.2?

paulhignutt
Level 1
Level 1

I know that this is a bad idea, but I have a customer that wants upwards of 200+ users put in the config of his PIX for use with VPN. What the customer wants, the customer gets... Unless, is that even possible? I can't find anything to tell me the max number of local users you can have.

Does anyone know what the max number of local users is for a PIX 515e running 7.2?

Thanks!

1 Accepted Solution

Accepted Solutions

Here is the PIX 7.2 configuration (relevant portion only). To configure IAS, google something like "IAS radius cisco".

the dollar sign ($) indicates variable names/fields (user defined names)

access-list $splittunnel_acl extended permit ip $local_network $vpn_dhcp_network

ip local pool vpn-pool $start_ip-$end_ip

aaa-server RADIUSVPN protocol radius

aaa-server RADIUSVPN host $192.168.x.y

timeout 5

key $shared_radius_key

aaa-server RADIUSVPN host $192.168.x.z (backup IAS server)

timeout 5

key $shared_radius_key

group-policy $group_name internal

group-policy $group_name attributes

wins-server value $192.168.x.x

dns-server value $192.168.x.x $192.168.x.y

vpn-idle-timeout 1440

split-tunnel-policy tunnelspecified

split-tunnel-network-list value $splittunnel_acl

default-domain value $local_domain

backup-servers $backup_vpn_server

crypto ipsec transform-set $transform_name esp-3des esp-sha-hmac

crypto dynamic-map $DYN_MAPNAME 10 set transform-set $transform_name

crypto map VPN 25 ipsec-isakmp dynamic $DYN_MAPNAME

crypto map VPN interface outside

crypto isakmp enable outside

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group DefaultRAGroup general-attributes

authentication-server-group (outside) RADIUS

tunnel-group $group_name type ipsec-ra

tunnel-group $group_name general-attributes

address-pool vpn-pool

authentication-server-group RADIUSVPN

default-group-policy $group_name

tunnel-group $group_name ipsec-attributes

pre-shared-key $psk

----------------

if you have regular crypto tunnels defined, place the dynamic map entry after those, otherwise strange things happen.

View solution in original post

4 Replies 4

David White
Cisco Employee
Cisco Employee

Hi Paul,

There is no software imposed limit on the number of users in the local database. So, in essence you are limited by the config size (and available space on flash to store the config).

But, we have not tested performance with very large local user databases. However, 200 users should be just fine.

Sincerely,

David.

sounds like the customer wants an administrative nightmare (:

I set up AAA/radius authentication for vpn users using microsoft's free IAS (internet authentication server). This way, remote users can use their domain login information to do xauth w/ the vpn client, and when they leave the company, removing/disabling their AD account, disables their vpn access. I've set this up successfully on both the vpn concentrator and PIX 6.3/7.x if you're interested.

I'm not sure they want to tie it into AD is the problem. However, I would like to see an example config if you wouldn't mind sharing it. My email is phignutt @ hotmail dot com

Thanks

Here is the PIX 7.2 configuration (relevant portion only). To configure IAS, google something like "IAS radius cisco".

the dollar sign ($) indicates variable names/fields (user defined names)

access-list $splittunnel_acl extended permit ip $local_network $vpn_dhcp_network

ip local pool vpn-pool $start_ip-$end_ip

aaa-server RADIUSVPN protocol radius

aaa-server RADIUSVPN host $192.168.x.y

timeout 5

key $shared_radius_key

aaa-server RADIUSVPN host $192.168.x.z (backup IAS server)

timeout 5

key $shared_radius_key

group-policy $group_name internal

group-policy $group_name attributes

wins-server value $192.168.x.x

dns-server value $192.168.x.x $192.168.x.y

vpn-idle-timeout 1440

split-tunnel-policy tunnelspecified

split-tunnel-network-list value $splittunnel_acl

default-domain value $local_domain

backup-servers $backup_vpn_server

crypto ipsec transform-set $transform_name esp-3des esp-sha-hmac

crypto dynamic-map $DYN_MAPNAME 10 set transform-set $transform_name

crypto map VPN 25 ipsec-isakmp dynamic $DYN_MAPNAME

crypto map VPN interface outside

crypto isakmp enable outside

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group DefaultRAGroup general-attributes

authentication-server-group (outside) RADIUS

tunnel-group $group_name type ipsec-ra

tunnel-group $group_name general-attributes

address-pool vpn-pool

authentication-server-group RADIUSVPN

default-group-policy $group_name

tunnel-group $group_name ipsec-attributes

pre-shared-key $psk

----------------

if you have regular crypto tunnels defined, place the dynamic map entry after those, otherwise strange things happen.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: