Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Differnt authentication-server for two vpngroups

Can someone tell me how to create two remote access vpngroups on a Pix 6.3 that authenticates against two differnt Windows 2003 Radius server?

aaa-server test1 protocol radius

aaa-server test1 (outside) host secret timeout 10

aaa-server test2 protocol radius

aaa-server test2 (outside) host secret timeout 10

crypto map dmz 10 ipsec-isakmp dynamic cisco

crypto map dmz client configuration address respond

crypto map dmz client authentication ???? -> test1 or test2

crypto map dmz interface dmz

isakmp enable dmz

vpngroup group-1 address-pool pool1

vpngroup group-1 dns-server

vpngroup group-1 default-domain

vpngroup group-1 idle-time 1800

vpngroup group-1 authentication-server test1

vpngroup group-1 password ********

vpngroup group-2 address-pool pool2

vpngroup group-2 dns-server

vpngroup group-2 default-domain

vpngroup group-2 idle-time 1800

vpngroup group-2 authentication-server test2

vpngroup group-2 password ********



Cisco Employee

Re: Differnt authentication-server for two vpngroups

You can't actually do this in 6.3 code. The "authentication-server" tag on the vpnclient command is only used for IUA (Individual User Authentication) which is for individually authenticating users behind an EasyVPN connection that comes into this PIX. It is NOT unfortunately used for standard VPN client connections. And please, don't ask me why, this confuses everyone, even TAC engineers :-)

You will need to upgrade your PIX to v7.0 and then it should work fine for you. Latest code is here:

and upgrade instructions are here:

CreatePlease login to create content