Two VPN groups on PIX 506 - Two Radius Servers on LAN

Discussion in 'Cisco' started by Pichi_b, Mar 27, 2007.

  1. Pichi_b

    Pichi_b Guest

    Hello,

    This is what I would like to do:

    I have two vpngroups (A and B) created on the PIX. I want the A group
    to authenticate via Radius to Server A and the B group to authenticate
    to Server B (also via Radius)

    So it looks like this so far:

    aaa-server A protocol radius
    aaa-server A (inside) host server_A chuck

    aaa-server B protocol radius
    aaa-server B (inside) host server_B berry

    -------------------------------------------------------------------------------------

    vpngroup A authentication-server A
    vpngroup A password ********


    vpngroup B authentication-server B
    vpngroup B password ********

    -------------------------------------------------------------------------------------


    crypto ipsec transform-set myset esp-3des esp-md5-hmac
    crypto ipsec security-association lifetime kilobytes 100000
    crypto dynamic-map dynmap 10 set transform-set myset
    crypto map mymap 10 ipsec-isakmp dynamic dynmap
    crypto map mymap client configuration address initiate
    crypto map mymap client configuration address respond
    crypto map mymap client authentication A
    crypto map mymap interface outside


    --------------------------------------------------------------------------------------



    You can see that I have the crypto map client authentication pointing
    to A and thats OK and it works fine, but when I go to add B it just
    takes the place of A, and I cant have both. I tried creating a new
    crypto may called newmap with all the same things as the original but
    then I am stuck again becuause I can only apply one map to the outside
    interface.

    Can anyone help??

    Thanks,

    P.
     
    Pichi_b, Mar 27, 2007
    #1
    1. Advertisements

  2. Pichi_b

    Pichi_b Guest

    Hello,

    I am posting this so if anyone else out there runs into this problem
    it will save them a few hours of looking at ambiguous Cisco
    documentation.

    The short answer is this cannot be done on ver 6.3.x

    Only one crypto map client authentication per interface is allowed.
    However you can do a backup for example:

    crypto map MYMAP client authentication AuthIn DR

    Where AuthIn is your primary Authentication Policy and DR is a backup
    policy.

    Hope this helps someone,


    Pedro
     
    Pichi_b, Mar 30, 2007
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.