Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Can Shared-Secret Site-to-Site VPN Coexist with RADIUS Authenticated VPN?

Hello,

I have a site-to-site VPN setup between two offices on PIX 515Es (v.6.2 software), and recently added a vpngroup/shared-secret based remote-access VPN for one of the offices. Since that just required me to append a different policy number to my existing crypto map, it was a straight-forward setup, and easily implemented. For additional security, I want to use a RADIUS server to give each remote user their own logins and profiles rather than a group password everyone is configured on. To do this though, it seems I have to append the following additional commands to my existing crypto map:

crypto map mymap client configuration address initiate

crypto map mymap client authentication RADIUS

These don't correspond to a policy number (my site-to-site is policy 10, and remote access is policy 20), so I'm not sure what the effect would be if I added them. Would it cause my site-to-site connection to request RADIUS authentication (a very bad thing)? If so, do I need another interface to bind a new crypto map to? Any answers to this would be greatly appreciated!

Also, if anyone knows of a sample configuration for a similar setup I can look at, please let me know! Thanks.

--A.Hsu

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Can Shared-Secret Site-to-Site VPN Coexist with RADIUS Authe

For the site-to-site connection, change you isakmp key line and add the "no-xauth no-config-mode" parameters to the end of it, that'll tell the PIX not to do Radius auth or assign an IP address, etc for the specific site-to-site tunnel.

Config example is here:

http://www.cisco.com/warp/public/110/37.html

Note that this doesn't have the command options I just specified, I just sent an email to the web guys to fix that. Basically your config will look the same with the "no-xauth no-config-mode" options on the "isakmp key x.x.x.x ...." line for the LAN-to-LAN tunnel.

4 REPLIES
Cisco Employee

Re: Can Shared-Secret Site-to-Site VPN Coexist with RADIUS Authe

For the site-to-site connection, change you isakmp key line and add the "no-xauth no-config-mode" parameters to the end of it, that'll tell the PIX not to do Radius auth or assign an IP address, etc for the specific site-to-site tunnel.

Config example is here:

http://www.cisco.com/warp/public/110/37.html

Note that this doesn't have the command options I just specified, I just sent an email to the web guys to fix that. Basically your config will look the same with the "no-xauth no-config-mode" options on the "isakmp key x.x.x.x ...." line for the LAN-to-LAN tunnel.

New Member

Re: Can Shared-Secret Site-to-Site VPN Coexist with RADIUS Authe

Thanks for the help, RADIUS and my point-to-point are both up and running now.

--A.Hsu

New Member

Re: Can Shared-Secret Site-to-Site VPN Coexist with RADIUS Authe

I just did the same thing last week.

Try adding "no-xauth" to the end of your "crypto isakmp key" command.

For example "crypto isakmp key ciscokey address 1.1.1.1 no-xauth"

This will tell the site-to-site not to use Radius.

New Member

Re: Can Shared-Secret Site-to-Site VPN Coexist with RADIUS Authe

Sorry. That last post was for a router-to-rouer VPN.

It's similar for the Pix.

Use the command "isakmp key ciscokey address 1.1.1.1 netmask 255.255.255.255 no-xauth no-config-mode

105
Views
0
Helpful
4
Replies
CreatePlease to create content