Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > PIX VPN Radius Authentication question

Thread Tools

PIX VPN Radius Authentication question
Posts: n/a
Hi everyone,

I have a Cisco PIX with a dynamic crypto map set up. I have roaming
users who connect with the Cisco client, and one user who has a
persistent tunnel setup with a sonicwall.

The thing is, i want to require RADIUS authentication, but only for
those using the cisco client. The sonicwall I don't want to require
this on.

When I apply the following command to my crypto map:

crypto map test client authentication AuthInbound

The RADIUS works fine, the clients can connect up, and it prompts for
their username and password, then lets them in appropriately. However,
this kills the Sonicwall's tunnel, because there isn't any way to tell
it to supply a certain username and password when asked. I confirmed
this with Sonicwall's tech support.

So my only option is to see if there is some way to exclude the
sonicwall's IP from requiring authentication.

Here are the relevant parts of my config:

access-list 120 permit ip Main x.x.x.x
access-list 120 permit ip x.x.x.x x.x.x.x

aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server RADIUS (inside) host x.x.x.x timeout 10
aaa-server LOCAL protocol local
aaa-server AuthInbound protocol radius
aaa-server AuthInbound max-failed-attempts 3
aaa-server AuthInbound deadtime 10
aaa-server AuthInbound (inside) host x.x.x.x MYPASSWORD timeout 10

sysopt connection permit-ipsec
sysopt ipsec pl-compatible

crypto ipsec transform-set strongsha esp-3des esp-sha-hmac
crypto dynamic-map pixtosw 10 set transform-set strongsha
crypto map test 200 ipsec-isakmp dynamic pixtosw
crypto map test client authentication AuthInbound
crypto map test interface outside

isakmp enable outside
isakmp key ******** address netmask
isakmp identity address
isakmp nat-traversal 10
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 28800

vpngroup MYGROUP address-pool VPN_Lease
vpngroup MYGROUP dns-server x.x.x.x
vpngroup MYGROUP wins-server x.x.x.x
vpngroup MYGROUP default-domain MINE
vpngroup MYGROUP idle-time 1800
vpngroup MYGROUP password ********

Reply With Quote

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Changing Windows Passwords - VPN with a PIX, Cisco VPN Client and RADIUS Authentication DCS Cisco 2 03-26-2009 08:45 PM
Re: pix vpn radius authentication question John Smith Cisco 2 12-03-2004 07:05 AM
pix vpn radius authentication question John Smith Cisco 2 12-01-2004 10:21 PM
problem with 2 VPN-Client groups and Radius authentication on Cisco PIX 515E Spoettel Otmar Cisco 0 05-12-2004 12:54 PM
Authentication for Cisco VPN client on PIX (RADIUS vs. local PIX database) tejlor Cisco 2 11-25-2003 08:07 AM