Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

vpn using Radius server.

Hello, using the following commands, I had configured packets to proxy pptp client connection to internal win2k server. This was working with one to one mapping at other customer, but this customer has only 1 global ip address so I had to do port redirection for this to work, but this did not work out, as the vpn clients were not connecting.

static (inside,outside) tcp interface 1723 sbs2k 1723 netmask 0 0

conduit permit tcp host a.b.c.d eq 1723 any

conduit permit gre host a.b.c.d any ( where a.b.c.d is global ip )

So I had configured pptp on pix firewall itself using vpdn group commands, but the customer is saying if u give only 1 username and password for vpn tunnel, its a security threat, so he wants to use internal Windows 2000 server's radius capability to authenticate, vpdn tunnel. I found a command vpdn client authentication radius ( Instead of local ) but could not find ariticle on configuring aaa to use radius for the purpose of vpdn. Pls advice where to find the doc, if none is available pls guide with the commands. Thanks in advance.


Sayeed Alhajri.

Cisco Employee

Re: vpn using Radius server.

The static/conduit wouldn't have worked cause PPTP uses both TCP port 1723 and GRE, which is IP protocol 47 and can't be port mapped (cause there is no TCP/UDP port).

A sample config, straight out of the command reference (, is as follows:

aaa-server my-aaa-server-group (inside) host key 12345678

aaa-server my-aaa-server-group protocol radius

vpdn group 1 accept dialin pptp

vpdn group 1 ppp authentication mschap

vpdn group 1 client authentication aaa my-aaa-server-group

vpdn group 1 ppp encryption mppe auto required

vpdn group 1 client configuration address local my-addr-pool

vpdn enable outside

Note the keyword "my-aa-server-group" that maps the PPTP authentication to the Radius server details. In this example the Radius server is at and the key is 12345678. Note also that this config requires the client to do MPPE encryption, but unless the Radius server handles MPPE keys, which I don't think the Win2K server does, you won't be able to do this.

You might want to tell your customer that if his Radius server doesn't handle returning MPPE keys, he won't be doing any encryption of his data, which is an awful lot less secure than having the usernames on the PIX itself which does handle MPPE.

New Member

Re: vpn using Radius server.

Thanx for ur reply, Win2k server does it if we use with ISA 2000 on it. So I went thru the steps and it resolved my problem

Thanx again.