PIX VPN Radius Authentication question

Discussion in 'Cisco' started by seanh012, Apr 5, 2005.

  1. seanh012

    seanh012 Guest

    Hi everyone,

    I have a Cisco PIX with a dynamic crypto map set up. I have roaming
    users who connect with the Cisco client, and one user who has a
    persistent tunnel setup with a sonicwall.

    The thing is, i want to require RADIUS authentication, but only for
    those using the cisco client. The sonicwall I don't want to require
    this on.

    When I apply the following command to my crypto map:

    crypto map test client authentication AuthInbound

    The RADIUS works fine, the clients can connect up, and it prompts for
    their username and password, then lets them in appropriately. However,
    this kills the Sonicwall's tunnel, because there isn't any way to tell
    it to supply a certain username and password when asked. I confirmed
    this with Sonicwall's tech support.

    So my only option is to see if there is some way to exclude the
    sonicwall's IP from requiring authentication.

    Here are the relevant parts of my config:

    access-list 120 permit ip Main x.x.x.x
    access-list 120 permit ip x.x.x.x x.x.x.x

    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server RADIUS (inside) host x.x.x.x timeout 10
    aaa-server LOCAL protocol local
    aaa-server AuthInbound protocol radius
    aaa-server AuthInbound max-failed-attempts 3
    aaa-server AuthInbound deadtime 10
    aaa-server AuthInbound (inside) host x.x.x.x MYPASSWORD timeout 10

    sysopt connection permit-ipsec
    sysopt ipsec pl-compatible

    crypto ipsec transform-set strongsha esp-3des esp-sha-hmac
    crypto dynamic-map pixtosw 10 set transform-set strongsha
    crypto map test 200 ipsec-isakmp dynamic pixtosw
    crypto map test client authentication AuthInbound
    crypto map test interface outside

    isakmp enable outside
    isakmp key ******** address netmask
    isakmp identity address
    isakmp nat-traversal 10
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash sha
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 28800

    vpngroup MYGROUP address-pool VPN_Lease
    vpngroup MYGROUP dns-server x.x.x.x
    vpngroup MYGROUP wins-server x.x.x.x
    vpngroup MYGROUP default-domain MINE
    vpngroup MYGROUP idle-time 1800
    vpngroup MYGROUP password ********
    seanh012, Apr 5, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.