Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VPN / Radius Setup 2

Status
Not open for further replies.
Aug 22, 2001
17
US
We are looking to setup RADIUS authentication for our Cisco VPN-clients, without effecting our LAN-LAN VPN connections.

We have 2 sites set up for IPSec tunnels. These sites are always up and do not need the extended authentication. We have a group of laptops and home PC's using the vpn-client that we would like to add RADIUS authentication to.

The radius server is set up and responding to authent requests, but I am not sure how to tell the pix to ignore the LAN-LAN connections. We are using vpngroups and access-lists to setup all connections.

Would the best solution be to use this command:

aaa authentication match [access-list] outside AuthInbound

and use the no-nat access list for the VPN Clients?
Since the lan-lan tunnels are always up, it is very difficult for me to test these things out.

Any help would be appriciated.
Thanks,
Scott
 
HI.

First, make sure to backup your current config.

Then, you can configure for vpn clients using vpngroup and other commands.
There is no problem to combine "pix to pix" and "client to pix with xauth" VPN at the same time and machine.

The "aaa authentication" is not related to this scenario. It is for authenticating regular connections, not vpn.

The command to enable xauth is:

crypto map "MAPNAME" client authentication "AAAGROUPNAME"


For creating a sample config that combines site to site and client access you can use pixcript:

Bye
Yizhar Hurwitz
 
Ok, I entered the command:

crypto map mymap client authentication AuthInbound

and it worked properly for authenticating the Cisco VPN Clients. BUT, the pix also tried to authenticate the LAN-LAN VPN connection, which is not possible and kicked 2 remote departments off-line.

Any other idea's?

Thanks,
Scott
 
OK, Everything works now. I forgot the no-xauth on the ISAKMP key statement.

Thanks for the help.

Scott
 
Here you go:

aaa-server radius-authport 1812
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server AuthInbound protocol radius
aaa-server AuthInbound (inside) host 1.0.0.203 pass timeout 100
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set strongestset esp-3des esp-sha-hmac
crypto ipsec transform-set strongset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set strongestset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap 20 ipsec-isakmp
crypto map mymap 20 match address nonat_sec
crypto map mymap 20 set peer xxx.xxx.xxx.xx
crypto map mymap 20 set transform-set strongestset
crypto map mymap 20 set security-association lifetime seconds 3600 kilobytes 4608000
crypto map mymap 30 ipsec-isakmp
crypto map mymap 30 match address nonat_minn
crypto map mymap 30 set peer xxx.xxx.xxx.xx
crypto map mymap 30 set transform-set strongestset
crypto map mymap 30 set security-association lifetime seconds 86400 kilobytes 4608000
crypto map mymap client authentication AuthInbound
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address xxx.xxx.xx.xx netmask 255.255.255.255 no-xauth
isakmp key ******** address xxx.xxx.xxx.xx netmask 255.255.255.255 no-xauth
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash sha
isakmp policy 40 group 1
isakmp policy 40 lifetime 86400
vpngroup usfl0w4cc3ss address-pool vpnpool
vpngroup usfl0w4cc3ss dns-server 1.0.1.16
vpngroup usfl0w4cc3ss wins-server 1.0.1.16
vpngroup usfl0w4cc3ss default-domain bertschco.com
vpngroup usfl0w4cc3ss split-tunnel 102
vpngroup usfl0w4cc3ss idle-time 1800
vpngroup usfl0w4cc3ss password ********
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top