Two VPN groups on PIX 506 - Two Radius Servers on LAN

Discussion in 'Cisco' started by Pichi_b, Mar 27, 2007.

  1. Pichi_b

    Pichi_b Guest

    Hello,

    This is what I would like to do:

    I have two vpngroups (A and B) created on the PIX. I want the A group
    to authenticate via Radius to Server A and the B group to authenticate
    to Server B (also via Radius)

    So it looks like this so far:

    aaa-server A protocol radius
    aaa-server A (inside) host server_A chuck

    aaa-server B protocol radius
    aaa-server B (inside) host server_B berry

    -------------------------------------------------------------------------------------

    vpngroup A authentication-server A
    vpngroup A password ********


    vpngroup B authentication-server B
    vpngroup B password ********

    -------------------------------------------------------------------------------------


    crypto ipsec transform-set myset esp-3des esp-md5-hmac
    crypto ipsec security-association lifetime kilobytes 100000
    crypto dynamic-map dynmap 10 set transform-set myset
    crypto map mymap 10 ipsec-isakmp dynamic dynmap
    crypto map mymap client configuration address initiate
    crypto map mymap client configuration address respond
    crypto map mymap client authentication A
    crypto map mymap interface outside


    --------------------------------------------------------------------------------------



    You can see that I have the crypto map client authentication pointing
    to A and thats OK and it works fine, but when I go to add B it just
    takes the place of A, and I cant have both. I tried creating a new
    crypto may called newmap with all the same things as the original but
    then I am stuck again becuause I can only apply one map to the outside
    interface.

    Can anyone help??

    Thanks,

    P.
    Pichi_b, Mar 27, 2007
    #1
    1. Advertising

  2. Pichi_b

    Pichi_b Guest

    Hello,

    I am posting this so if anyone else out there runs into this problem
    it will save them a few hours of looking at ambiguous Cisco
    documentation.

    The short answer is this cannot be done on ver 6.3.x

    Only one crypto map client authentication per interface is allowed.
    However you can do a backup for example:

    crypto map MYMAP client authentication AuthIn DR

    Where AuthIn is your primary Authentication Policy and DR is a backup
    policy.

    Hope this helps someone,


    Pedro


    On 27 mar, 18:38, "Pichi_b" <> wrote:
    > Hello,
    >
    > This is what I would like to do:
    >
    > I have two vpngroups (A and B) created on the PIX. I want the A group
    > to authenticate via Radius to Server A and the B group to authenticate
    > to Server B (also via Radius)
    >
    > So it looks like this so far:
    >
    > aaa-server A protocol radius
    > aaa-server A (inside) host server_A chuck
    >
    > aaa-server B protocol radius
    > aaa-server B (inside) host server_B berry
    >
    > -------------------------------------------------------------------------------------
    >
    > vpngroup A authentication-server A
    > vpngroup A password ********
    >
    > vpngroup B authentication-server B
    > vpngroup B password ********
    >
    > -------------------------------------------------------------------------------------
    >
    > crypto ipsec transform-set myset esp-3des esp-md5-hmac
    > crypto ipsec security-association lifetime kilobytes 100000
    > crypto dynamic-map dynmap 10 set transform-set myset
    > crypto map mymap 10 ipsec-isakmp dynamic dynmap
    > crypto map mymap client configuration address initiate
    > crypto map mymap client configuration address respond
    > crypto map mymap client authentication A
    > crypto map mymap interface outside
    >
    > --------------------------------------------------------------------------------------
    >
    > You can see that I have the crypto map client authentication pointing
    > to A and thats OK and it works fine, but when I go to add B it just
    > takes the place of A, and I cant have both. I tried creating a new
    > crypto may called newmap with all the same things as the original but
    > then I am stuck again becuause I can only apply one map to the outside
    > interface.
    >
    > Can anyone help??
    >
    > Thanks,
    >
    > P.
    Pichi_b, Mar 30, 2007
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Javier Villegas
    Replies:
    1
    Views:
    501
    Walter Roberson
    Jan 27, 2004
  2. Spoettel Otmar
    Replies:
    0
    Views:
    555
    Spoettel Otmar
    May 12, 2004
  3. Allie

    PIX - vpn lan-to-lan

    Allie, Sep 28, 2004, in forum: Cisco
    Replies:
    4
    Views:
    804
    Allie
    Sep 28, 2004
  4. Dovelet
    Replies:
    6
    Views:
    3,008
  5. Replies:
    3
    Views:
    2,169
Loading...

Share This Page