Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX and authenticating VPN user using ACS

We have a PIX 515 connecting to a Win2000 server for a site to site VPN connection.

The VPN user is accessing a development network on a secondary interface (not inside interface) of the PIX.

We already have access-lists on the PIX to limit where the VPN user can go and what he can do.

We have a need now to implement User Authentication as more users are now requiring the same access as the VPN user (on same VPN tunnel).

We have ACS v3.0 already in our enviroment (on the inside interface of the PIX) and want to setup user authentication using TACACS+.

The VPN users need FTP, HTTP, Telnet, XWindows and Windows Terminal Server Client access.

What is the best way to set this up?

Would this below config work?

aaa-server TACACS protocol tacacs+

aaa-server TACACS (inside) host ciscosecret

aaa authentication include any inbound TACACS

aaa authorization include any inbound TACACS

aaa accounting include any inbound TACACS

auth-prompt prompt Please Authenticate to the Firewall

auth-prompt reject Authentication Failed, Please Try Again

auth-prompt accept You've been Authenticated!

I know the PIX can authenticate for HTTP, FTP & Telnet, but what if the VPN user tries to establish a Terminal Server client connection? how is the user prompted for authentication?

I also have a question about TImeouts. If setting an absolute or inactivity timeout using the "timeout uauth" commands, how does this impact your settings already setup for the VPN Tunnel?

Your help is appreciated


Peter Cumming

Atlantic Lottery Corp.

Cisco Employee

Re: PIX and authenticating VPN user using ACS

See link below on how to add xauth for vpn users on the PIX: