RE: [fw-wiz] Different Authentication For vpngroups On PIX
From: Paul Melson (pmelson_at_gmail.com)
To: "'Mike Bydalek'" <email@example.com>, <firstname.lastname@example.org> Date: Thu, 22 Sep 2005 13:02:48 -0400
Subject: [fw-wiz] Different Authentication For vpngroups On PIX
> Currently we have a PIX 515E with a vpngroup setup to use AAA via.
> radius. What I'm trying to do is create a second vpngroup that doesn't
use AAA (yes, I > know what I'm doing and have valid reasons ;) ). What's
happening is that when I take > out my line crypto map line of:
> crypto map outside_map client authentication freeradius
> and add the following lines to my vpngroup I want to authenticate:
> vpngroup myauthgroup authentication-server freeradius
> vpngroup myauthgroup user-authentication
> people in myauthgroup are able to authenticate with no client
> Cisco VPN client just let's them connect as long as their group password
Nope, vpngroup user-authentication is only for forcing individual per-IP
authentication for clients behind a another PIX or VPN3K configured in
I'm not sure you can even do what you propose. I think it's 1 crypto map
per interface, 1 client auth method per crypto map until you get to PIX OS
7.x on the ASA class firewalls (where you set this up like a VPN3K).
Either way, your crypto map must specify what type of client XAUTH it will
use. If it doesn't specify, then no XAUTH is used and it only checks
vpngroup/password to allow access. That's what's happening to you now.
What might (but probably won't) work:
aaa-server freeradius protocol radius
aaa-server freeradius (inside) host 10.1.2.3
aaa-server localauth protocol local
crypto map outside_map client authentication freeradius
crypto map outside_map client authentication localauth
Then set up your vpngroup as you normally would and use 'username' to add
local user/pass pairs. But again, this probably won't work.
firewall-wizards mailing list