Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > PIX-VPN-Radius

Reply
Thread Tools

PIX-VPN-Radius

 
 
Michael Kiessling
Guest
Posts: n/a
 
      10-28-2003
Hi,

One of our PIXes need to authentificate vpn-users against a radius server.
The Problem is that the PIX can contact the radius server only over its
own vpn-tunnel (see below).
Afaik vpn-devices are not able to get in their own vpn-tunnel - if that's
true the only solution is to put a proxy radius in lan1...


lan1::::PIX|--------vpn-tunnel---------|PIX|:::lan2::Radius-Server|
|
|
|___vpn-clients

Maybe someone has a solution without setting up a new service (like a
radius proxy).

Thank you very much...
Michael Kiessling
 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      10-28-2003
In article <(E-Mail Removed)>,
Michael Kiessling <(E-Mail Removed)> wrote:
:One of our PIXes need to authentificate vpn-users against a radius server.
:The Problem is that the PIX can contact the radius server only over its
wn vpn-tunnel (see below).
:Afaik vpn-devices are not able to get in their own vpn-tunnel - if that's
:true the only solution is to put a proxy radius in lan1...


:lan1::::PIX|--------vpn-tunnel---------|PIX|:::lan2::Radius-Server|
: |
: |
: |___vpn-clients

:Maybe someone has a solution without setting up a new service (like a
:radius proxy).

I don't think I understand what you mean by,
"Afaik vpn-devices are not able to get in their own vpn-tunnel" ?

When the PIX does RADIUS authentication, the packets are going to
originate from the PIX, not from lan1 or vpn-clients. If the RADIUS
server is only accessible by VPN, then what you need to do is configure
an additional entry in the access-list for the match-address clauses.
The additional entry should allow the *outside* address of the first
PIX to access the resources it needs.

e.g., if you now have
access-list acl-to-lan2 permit lan1 255.255.255.0 lan2 255.255.255.0
then add
access-list acl-to-lan2 permit host pix1_external host radius_server

and make the corresponding entry on the other end.
--
How does Usenet function without a fixed point?
 
Reply With Quote
 
 
 
 
Michael Kiessling
Guest
Posts: n/a
 
      10-29-2003
> I don't think I understand what you mean by,
> "Afaik vpn-devices are not able to get in their own vpn-tunnel" ?


The Pix at lan1 can reach the radius server at lan2 only through the
vpn-tunnel, so it has to send its radius packets in its own tunnel.
I thaught a vpn-device is not possible to send packets made by its
own in its own vpn-tunnel eg. when u want to verify a vpn-tunnel
and you want to ping through it, u need a host in lan1 to ping to
lan2, because you cant send the ping directly from the pix...


I'll try it with your configuration...

Thank you very much so far...

> e.g., if you now have
> access-list acl-to-lan2 permit lan1 255.255.255.0 lan2 255.255.255.0
> then add
> access-list acl-to-lan2 permit host pix1_external host radius_server
>
> and make the corresponding entry on the other end.


 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      10-29-2003
In article <(E-Mail Removed)>,
Michael Kiessling <(E-Mail Removed)> wrote:
:> I don't think I understand what you mean by,
:> "Afaik vpn-devices are not able to get in their own vpn-tunnel" ?

:The Pix at lan1 can reach the radius server at lan2 only through the
:vpn-tunnel, so it has to send its radius packets in its own tunnel.
:I thaught a vpn-device is not possible to send packets made by its
wn in its own vpn-tunnel eg. when u want to verify a vpn-tunnel
:and you want to ping through it, u need a host in lan1 to ping to
:lan2, because you cant send the ping directly from the pix...

Traffic originating from the PIX itself can be included in a VPN tunnel
by naming the external IP address of the PIX itself in the
'match address' ACL.

I didn't figure this one out myself; I had to ask the TAC for how to do
it the first time, as it was not clear in the 5.2 documentation I was
starting from. The wording has been improved since then, but I think
you still have to know exactly what you are looking for before you can
find it.
--
If a troll and a half can hook a reader and a half in a posting and a half,
how many readers can six trolls hook in six postings?
 
Reply With Quote
 
Michael Kiessling
Guest
Posts: n/a
 
      10-31-2003
> Traffic originating from the PIX itself can be included in a VPN tunnel
> by naming the external IP address of the PIX itself in the
> 'match address' ACL.


I'll try it...

Thank you very much for spending time on my problem,
Michael Kiessling
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off




Advertisments