Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

One VPN group to use radius


I going mad with this one.

I have 2 dynamic vpn's ( for clients )

I cannot get one of the vpngroups to use radius for authentication.

New Member

Re: One VPN group to use radius

sorry pix 6.3

New Member

Re: One VPN group to use radius

Here is the config how do I get HAWRADIUS to use Radius

test-pix-gw# sh run

access-list outside_cryptomap_dyn_121 permit ip any

access-list outside_cryptomap_dyn_141 permit ip any

access-list outside_cryptomap_dyn_161 permit ip any

aaa-server radius-authport 1812

aaa-server radius-acctport 1813

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

aaa-server HAWRADIUS protocol radius

aaa-server HAWRADIUS max-failed-attempts 3

aaa-server HAWRADIUS deadtime 10

aaa-server HAWRADIUS (inside) host *.*.*.* cisco timeout 5

aaa authentication ssh console LOCAL

sysopt connection permit-ipsec

sysopt connection permit-pptp

crypto ipsec transform-set pix esp-des esp-md5-hmac

crypto dynamic-map dyn-pix 101 set transform-set pix

crypto dynamic-map dyn-pix 121 match address outside_cryptomap_dyn_121

crypto dynamic-map dyn-pix 121 set transform-set pix

crypto dynamic-map dyn-pix 141 match address outside_cryptomap_dyn_141

crypto dynamic-map dyn-pix 141 set transform-set pix

isakmp enable outside

isakmp identity address

isakmp keepalive 10

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup homeclient address-pool vpnpool

vpngroup homeclient dns-server *.*.*.*

vpngroup homeclient wins-server *.*.*.*

vpngroup homeclient default-domain

vpngroup homeclient split-tunnel 101

vpngroup homeclient idle-time 1800

vpngroup homeclient password ********

vpngroup ThirdParty address-pool vpnpool2

vpngroup ThirdParty dns-server *.*.*.*

vpngroup ThirdParty wins-server *.*.*.*

vpngroup ThirdParty default-domain

vpngroup ThirdParty split-tunnel 101

vpngroup ThirdParty idle-time 1800

vpngroup ThirdParty password ********

vpngroup HAWRADIUS address-pool vpnpool

vpngroup HAWRADIUS dns-server *.*.*.*

vpngroup HAWRADIUS wins-server *.*.*.*

vpngroup HAWRADIUS default-domain

vpngroup HAWRADIUS split-tunnel 101

vpngroup HAWRADIUS idle-time 1800

vpngroup HAWRADIUS authentication-server HAWRADIUS

vpngroup HAWRADIUS password ********

Re: One VPN group to use radius

There's one command:

crypto map dyn-pix client authentication HAWRADIUS

However, this might require ALL groups to authenticate using Radius.

Anyway, to check the Radius messages:

debug aaa events

debug aaa packets

debug aaa authentication

Please rate if this helped.




Re: One VPN group to use radius

i was thinking the 'no xauth' command was for this, but that's for site2site vpn's when used with remote access vpns on the same device/interface.

i'm not sure there's a way to do this on 6.3. i'm pretty sure this is easily doable on 7.x and later though using group-policies.

New Member

Re: One VPN group to use radius


glad I'm not going mad!!