Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
273
Views
0
Helpful
2
Replies

vpn using Radius server.

sayeed
Level 1
Level 1

‎11-20-2002 09:11 PM - edited ‎02-21-2020 12:11 PM

Hello, using the following commands, I had configured packets to proxy pptp client connection to internal win2k server. This was working with one to one mapping at other customer, but this customer has only 1 global ip address so I had to do port redirection for this to work, but this did not work out, as the vpn clients were not connecting.

static (inside,outside) tcp interface 1723 sbs2k 1723 netmask 255.255.255.255 0 0

conduit permit tcp host a.b.c.d eq 1723 any

conduit permit gre host a.b.c.d any ( where a.b.c.d is global ip )

So I had configured pptp on pix firewall itself using vpdn group commands, but the customer is saying if u give only 1 username and password for vpn tunnel, its a security threat, so he wants to use internal Windows 2000 server's radius capability to authenticate, vpdn tunnel. I found a command vpdn client authentication radius ( Instead of local ) but could not find ariticle on configuring aaa to use radius for the purpose of vpdn. Pls advice where to find the doc, if none is available pls guide with the commands. Thanks in advance.

Regards,

Sayeed Alhajri.

Labels:
0 Helpful
2 Replies 2

gfullage
Cisco Employee
Cisco Employee

‎11-21-2002 12:37 AM

The static/conduit wouldn't have worked cause PPTP uses both TCP port 1723 and GRE, which is IP protocol 47 and can't be port mapped (cause there is no TCP/UDP port).

A sample config, straight out of the command reference (http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/tz.htm#xtocid10), is as follows:

aaa-server my-aaa-server-group (inside) host 192.168.0.10 key 12345678

aaa-server my-aaa-server-group protocol radius

vpdn group 1 accept dialin pptp

vpdn group 1 ppp authentication mschap

vpdn group 1 client authentication aaa my-aaa-server-group

vpdn group 1 ppp encryption mppe auto required

vpdn group 1 client configuration address local my-addr-pool

vpdn enable outside

Note the keyword "my-aa-server-group" that maps the PPTP authentication to the Radius server details. In this example the Radius server is at 192.168.0.10 and the key is 12345678. Note also that this config requires the client to do MPPE encryption, but unless the Radius server handles MPPE keys, which I don't think the Win2K server does, you won't be able to do this.

You might want to tell your customer that if his Radius server doesn't handle returning MPPE keys, he won't be doing any encryption of his data, which is an awful lot less secure than having the usernames on the PIX itself which does handle MPPE.

0 Helpful

sayeed
Level 1
Level 1
In response to gfullage

‎11-21-2002 12:50 AM

Thanx for ur reply, Win2k server does it if we use with ISA 2000 on it. So I went thru the steps and it resolved my problem

Thanx again.

Sayeed

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents