RE: [fw-wiz] Different Authentication For vpngroups On PIX

From: Paul Melson (pmelson_at_gmail.com)
Date: 09/22/05

  • Next message: Mike Bydalek: "Re: [fw-wiz] Different Authentication For vpngroups On PIX"
    To: "'Mike Bydalek'" <mbydalek@contentconnections.com>, <firewall-wizards@honor.icsalabs.com>
    Date: Thu, 22 Sep 2005 13:02:48 -0400
    
    

    -----Original Message-----
    Subject: [fw-wiz] Different Authentication For vpngroups On PIX

    > Currently we have a PIX 515E with a vpngroup setup to use AAA via.
    > radius. What I'm trying to do is create a second vpngroup that doesn't
    use AAA (yes, I > know what I'm doing and have valid reasons ;) ). What's
    happening is that when I take > out my line crypto map line of:
    >
    > crypto map outside_map client authentication freeradius
    >
    > and add the following lines to my vpngroup I want to authenticate:
    >
    > vpngroup myauthgroup authentication-server freeradius
    > vpngroup myauthgroup user-authentication
    >
    > people in myauthgroup are able to authenticate with no client
    authentication. The
    > Cisco VPN client just let's them connect as long as their group password
    is correct.

    Nope, vpngroup user-authentication is only for forcing individual per-IP
    authentication for clients behind a another PIX or VPN3K configured in
    client mode.

    I'm not sure you can even do what you propose. I think it's 1 crypto map
    per interface, 1 client auth method per crypto map until you get to PIX OS
    7.x on the ASA class firewalls (where you set this up like a VPN3K).

    Either way, your crypto map must specify what type of client XAUTH it will
    use. If it doesn't specify, then no XAUTH is used and it only checks
    vpngroup/password to allow access. That's what's happening to you now.

    What might (but probably won't) work:

    aaa-server freeradius protocol radius
    aaa-server freeradius (inside) host 10.1.2.3
    aaa-server localauth protocol local
    crypto map outside_map client authentication freeradius
    crypto map outside_map client authentication localauth

    Then set up your vpngroup as you normally would and use 'username' to add
    local user/pass pairs. But again, this probably won't work.

    PaulM

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Mike Bydalek: "Re: [fw-wiz] Different Authentication For vpngroups On PIX"

    Relevant Pages

    • Re: Cisco Router as a VPN server and a Microsoft Client
      ... aaa authentication login LOCAL_DB ... crypto map COMMED_VPN client authentication list ... crypto map COMMED_VPN client configuration address ...
      (comp.dcom.sys.cisco)
    • *some* return traffic not going through vpn tunnel (although not all)
      ... connecting to an 1841 with a VPN tunnel endpoint on its Dialer0 ... when configuring an IMAP connection on a remote VPN ... client, ... <dynamic crypto map with associated transform> ...
      (comp.dcom.sys.cisco)
    • IPSEC to PIX 515
      ... IPSEC client connected to the pix. ... ISAKMP OAK TRANS *from x.x.x.x ... fixup protocol dns maximum-length 512 ... crypto map outside 1 match address savvis ...
      (comp.dcom.sys.cisco)
    • Re: Pix site to site and client VPN
      ... I can't figure out why the client tunnel will not work when the site to ... crypto map outside_map 20 match address outside_cryptomap_20 ... isakmp policy 10 authentication pre-share ...
      (comp.dcom.sys.cisco)
    • Cisco Router as a VPN server and a Microsoft Client
      ... I need to connect a Windows XP VPN client to a Cisco 1721 router ... crypto isakmp policy ... crypto map COMMED_VPN client authentication list ... crypto map COMMED_VPN client configuration address ...
      (comp.dcom.sys.cisco)