Re: [fw-wiz] Different Authentication For vpngroups On PIX

From: Mike Bydalek (mbydalek_at_contentconnections.com)
Date: 09/22/05

  • Next message: vulnerable: "[fw-wiz] PIX assessment" 
    To: firewall-wizards@honor.icsalabs.com
Date: Thu, 22 Sep 2005 10:20:53 -0700

    Paul Melson wrote:

    >-----Original Message-----
    >Subject: [fw-wiz] Different Authentication For vpngroups On PIX
    >
    >
    >
    >>Currently we have a PIX 515E with a vpngroup setup to use AAA via.
    >>radius. What I'm trying to do is create a second vpngroup that doesn't
    >>
    >>
    >>...
    >>
    >Nope, vpngroup user-authentication is only for forcing individual per-IP
    >authentication for clients behind a another PIX or VPN3K configured in
    >client mode.
    >
    >
    Ah, thank you for clearing this up as I wasn't aware of that.

    >I'm not sure you can even do what you propose. I think it's 1 crypto map
    >per interface, 1 client auth method per crypto map until you get to PIX OS
    >7.x on the ASA class firewalls (where you set this up like a VPN3K).
    >
    >Either way, your crypto map must specify what type of client XAUTH it will
    >use. If it doesn't specify, then no XAUTH is used and it only checks
    >vpngroup/password to allow access. That's what's happening to you now.
    >
    >

    This makes sense.

    Let me then take this and change my question a little. What I am trying
    to do is have a server automatically VPN in, backup some files, and then
    disconnect. In order to do this, one of the options is storing the
    user/pass on the server (not the best idea in the world, but if I have
    to, I have to). So, what would then be the best way to setup for this
    scenario?

    Thank you,
    Mike Bydalek
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: vulnerable: "[fw-wiz] PIX assessment"

    Relevant Pages

    • Loss of VPN Access Using Pix 501
      ... I have a client who is using a Pix 501, ... Establish secure connection using Ethernet ... Peer supports XAUTH ...
      (comp.dcom.sys.cisco)
    • RE: [fw-wiz] Cisco PiX 501 running 6.2 - Defying me for no reason
      ... >>connected with the PiX between it). ... > assign static IPs, so when I transfered the static to the firewall, the ... I cannot ping names, such as ... server and have it issue an IP and DNS server to your client PC? ...
      (Firewall-Wizards)
    • Re: INTERNET ACCESS AND CISCO PIX FIREWALL
      ... 2 client PCs are in another room and I would prefer to give them ... replace the Cisco Pix Firewall with a wireless firewall router? ... Microsoft MVP - Windows Server Directory Services ...
      (microsoft.public.windows.server.networking)
    • Re: SBS VPN vs Router VPN
      ... I'm using one NIC on the server, and the pix 506e only has one internet ... The higher level pix models can take two. ... Is your router or SBS doing DHCP? ... Configure the PIX for remote vpn access, then install the client on the ...
      (microsoft.public.windows.server.sbs)
    • RE: [fw-wiz] Different Authentication For vpngroups On PIX
      ... What I'm trying to do is create a second vpngroup that doesn't ... happening is that when I take> out my line crypto map line of: ... > crypto map outside_map client authentication freeradius ... > people in myauthgroup are able to authenticate with no client ...
      (Firewall-Wizards)