Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

RADIUS Attributes & PIX 6.3(5)

I have a PIX 501 running the latest software - 6.3(5). I have VPDN enabled and I am connecting VPN clients using the Native L2TP client in Windows 2000/XP. This is working fine but I am using Microsoft IAS to authenticate users using RADIUS. The PIX doesn't send the RADIUS Attribute NAS-Port-Type and I would like to use this as one of the Policy Conditions when users attempt to Authenticate the VPN connection (L2TP). I also use IAS to authenticate Telnet/SSH/HTTPS access to the PIX for administration and I would prefer to have separate IAS Policies for VPN & Administration. Currently this isn't possible since the PIX doesn't send the RADIUS Attribute NAS-Port-Type to the IAS Server for Telnet, SSH, HTTPS or VPN connections. Is there a way to enable this or is this a feature in PIX 7.x?

Thanks

Andy

2 REPLIES
Silver

Re: RADIUS Attributes & PIX 6.3(5)

For authentication, you can use NT authentication on the ASA or you can enable the MS IAS Radius, also in 7.1.2 you can us LDAP.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml.

Re: RADIUS Attributes & PIX 6.3(5)

Thanks for the reply Thomas but I think you missed the point. I have Authentication working, the problem is the PIX - running 6.3(5) doesn't send any attributes to the RADIUS server as part of the Authentication request that I can use as part of the IAS Policy.

I authenticate Terminal (telnet/SSH) and HTTPS (PDM) users via RADIUS as well as VPN Users. I have a policy with conditions of the NAS-IP-Address matches the PIX and the Windows Group matches my Cisco Admin group. In this profile I originally only had the Authentication type set to PAP since this is what is sent when Administration Terminal (Telnet/SSH/HTTPS) users access the PIX. When a VPN user accesses the PIX it doesn't send any additional attributes to the RADIUS server indcating this is a VPN connection (such as NAS-Port-Type = VPN....) so I have had to add MSCHAP as an authentication type to the policy. The problem with this is I can't separate VPN & Admin users into two separate policies.

Does PIX 7.x send NAS-Port-Type in the Authentication request to the RADIUS Server?

Thanks

Andy

183
Views
0
Helpful
2
Replies
CreatePlease to create content