RE: [fw-wiz] Different Authentication For vpngroups On PIX

From: Paul Melson (pmelson_at_gmail.com)
Date: 09/22/05

  • Next message: Mike Bydalek: "Re: [fw-wiz] Different Authentication For vpngroups On PIX"
    To: "'Mike Bydalek'" <mbydalek@contentconnections.com>, <firewall-wizards@honor.icsalabs.com>
    Date: Thu, 22 Sep 2005 13:02:48 -0400
    
    

    -----Original Message-----
    Subject: [fw-wiz] Different Authentication For vpngroups On PIX

    > Currently we have a PIX 515E with a vpngroup setup to use AAA via.
    > radius. What I'm trying to do is create a second vpngroup that doesn't
    use AAA (yes, I > know what I'm doing and have valid reasons ;) ). What's
    happening is that when I take > out my line crypto map line of:
    >
    > crypto map outside_map client authentication freeradius
    >
    > and add the following lines to my vpngroup I want to authenticate:
    >
    > vpngroup myauthgroup authentication-server freeradius
    > vpngroup myauthgroup user-authentication
    >
    > people in myauthgroup are able to authenticate with no client
    authentication. The
    > Cisco VPN client just let's them connect as long as their group password
    is correct.

    Nope, vpngroup user-authentication is only for forcing individual per-IP
    authentication for clients behind a another PIX or VPN3K configured in
    client mode.

    I'm not sure you can even do what you propose. I think it's 1 crypto map
    per interface, 1 client auth method per crypto map until you get to PIX OS
    7.x on the ASA class firewalls (where you set this up like a VPN3K).

    Either way, your crypto map must specify what type of client XAUTH it will
    use. If it doesn't specify, then no XAUTH is used and it only checks
    vpngroup/password to allow access. That's what's happening to you now.

    What might (but probably won't) work:

    aaa-server freeradius protocol radius
    aaa-server freeradius (inside) host 10.1.2.3
    aaa-server localauth protocol local
    crypto map outside_map client authentication freeradius
    crypto map outside_map client authentication localauth

    Then set up your vpngroup as you normally would and use 'username' to add
    local user/pass pairs. But again, this probably won't work.

    PaulM

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Mike Bydalek: "Re: [fw-wiz] Different Authentication For vpngroups On PIX"