Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

vpn authentication

Is there a way to allow different vpn group using different client authentication methods. eg one being LOCAL and the other one RADIUS.

Thanks

Eppie

1 REPLY
Cisco Employee

Re: vpn authentication

Hi Eppie,

As the Auth method is decided at the "Crypto map" level and not at the "vpngroup" level:

As the commands for AAA on PIX are: (using tacacs)

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ (inside) host 10.0.0.2 secret123

or

aaa-server database protocol LOCAL (using local)

And then once we define the AAA commands then they are attached to the Crypto map as:

crypto map partner-map client authentication TACACS+

crypto map partner-map interface outside

or

(when using local database)

crypto map partner-map client authentication database

crypto map partner-map interface outside

So there is no way to use BOTH the LOCAL and the TACACS/RADIUS at the sametime and you can only have one or the other.

For further reading:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/c.htm#1034654

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/vpncl11.htm#38519

Hope this helps,

Regards,

Aamir

-=-=-

93
Views
0
Helpful
1
Replies
CreatePlease to create content