PIX VPN Radius Authentication question

Discussion in 'Cisco' started by seanh012@gmail.com, Apr 5, 2005.

  1. Guest

    Hi everyone,

    I have a Cisco PIX with a dynamic crypto map set up. I have roaming
    users who connect with the Cisco client, and one user who has a
    persistent tunnel setup with a sonicwall.

    The thing is, i want to require RADIUS authentication, but only for
    those using the cisco client. The sonicwall I don't want to require
    this on.

    When I apply the following command to my crypto map:

    crypto map test client authentication AuthInbound

    The RADIUS works fine, the clients can connect up, and it prompts for
    their username and password, then lets them in appropriately. However,
    this kills the Sonicwall's tunnel, because there isn't any way to tell
    it to supply a certain username and password when asked. I confirmed
    this with Sonicwall's tech support.

    So my only option is to see if there is some way to exclude the
    sonicwall's IP from requiring authentication.

    Here are the relevant parts of my config:

    access-list 120 permit ip Main 255.255.0.0 x.x.x.x 255.255.255.0
    access-list 120 permit ip x.x.x.x 255.0.0.0 x.x.x.x 255.255.255.0

    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server RADIUS (inside) host x.x.x.x timeout 10
    aaa-server LOCAL protocol local
    aaa-server AuthInbound protocol radius
    aaa-server AuthInbound max-failed-attempts 3
    aaa-server AuthInbound deadtime 10
    aaa-server AuthInbound (inside) host x.x.x.x MYPASSWORD timeout 10

    sysopt connection permit-ipsec
    sysopt ipsec pl-compatible

    crypto ipsec transform-set strongsha esp-3des esp-sha-hmac
    crypto dynamic-map pixtosw 10 set transform-set strongsha
    crypto map test 200 ipsec-isakmp dynamic pixtosw
    crypto map test client authentication AuthInbound
    crypto map test interface outside

    isakmp enable outside
    isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
    isakmp identity address
    isakmp nat-traversal 10
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash sha
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 28800

    vpngroup MYGROUP address-pool VPN_Lease
    vpngroup MYGROUP dns-server x.x.x.x
    vpngroup MYGROUP wins-server x.x.x.x
    vpngroup MYGROUP default-domain MINE
    vpngroup MYGROUP idle-time 1800
    vpngroup MYGROUP password ********
     
    , Apr 5, 2005
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. tejlor
    Replies:
    2
    Views:
    2,285
    tejlor
    Nov 25, 2003
  2. Spoettel Otmar
    Replies:
    0
    Views:
    565
    Spoettel Otmar
    May 12, 2004
  3. John Smith
    Replies:
    2
    Views:
    3,217
    John Smith
    Dec 1, 2004
  4. John Smith
    Replies:
    2
    Views:
    3,308
    John Smith
    Dec 3, 2004
  5. DCS
    Replies:
    2
    Views:
    5,090
    eshan_amiran
    Mar 26, 2009
Loading...

Share This Page