Re: Configure PIX with VPN using Individual User Authentication



jeffrey_collins@xxxxxxxxxxx wrote:
I've a got a pix 515 setup for vpn client access using group
authentication. I have a group name and password defined on the pix.
Clients are able to connect just find using the same shared group name
and password. However, I've wanted to implement user authentication in
addtion to the group authentication. I setup a radius server and have
run some radius tests (switched http auth for administering the pix to
point to the radius server...and it works fine.) My VPN group is
configured as follows:

vpngroup myvpngroup address-pool vpn
vpngroup myvpngroup dns-server <my dns ip>
vpngroup myvpngroup default-domain <my domain name>
vpngroup myvpngroup idle-time 60000
vpngroup myvpngroup authentication-server RADIUS
vpngroup myvpngroup user-authentication
vpngroup myvpngroup password <my group pw>

Most recently I added these lines to try and get it to trigger user
auth:
vpngroup myvpngroup authentication-server RADIUS
vpngroup myvpngroup user-authentication


the "user-authentication" part goes in the crypto map. but you 1st must define your radius server, then add it to crypto-map.

example:
aaa-server AD-IAS protocol radius
aaa-server AD-IAS (inside) host x.x.x.x password timeout 10
crypto map outside_map client authentication AD-IAS
crypto map outside_map interface outside
.



Relevant Pages

  • Re: IP address assignment problem
    ... I have a little problem and seek for ur thoughts, let's assume I'm in a very open environment where everyone can very easily try to get his/her laptop on the network and IP addresses are assigned by a DHCP server and we are in a domain environment, how do I prevent machines that are not part of our domain to be assigned an IP address? ... This approach doesn't stop your rogue clients from connecting to other clients, but merely doesn't give them the information they normally need to do so. ... Using 802.1x, your workstations authenticate through the switch to a radius server before they are allowed any connectivity. ... This authentication can use X.509 certificates, computer account credentials from AD, or whatever else you'd normally configure radius to authenticate with. ...
    (Focus-Microsoft)
  • Re: wireless network disconnects when using IEEE 802.1x authentica
    ... > If your hardware can perform WPA PSK, ... > Change that authentication key say every six months. ... > individually setting keys in clients. ... > RADIUS server to do that, and it works best if you've got an Active ...
    (microsoft.public.windowsxp.security_admin)
  • [Full-disclosure] Cisco Security Advisory: RADIUS Authentication Bypass
    ... Cisco Security Advisory: RADIUS Authentication Bypass ... Cisco has made free software available to address this vulnerability. ...
    (Full-Disclosure)
  • Cisco Security Advisory: RADIUS Authentication Bypass
    ... Cisco Security Advisory: RADIUS Authentication Bypass ... Cisco has made free software available to address this vulnerability. ...
    (Bugtraq)
  • [NEWS] An Analysis of the RADIUS Authentication Protocol
    ... An Analysis of the RADIUS Authentication Protocol ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ...
    (Securiteam)