Firewall Wizards mailing list archives
RE: Different Authentication For vpngroups On PIX
From: "Paul Melson" <pmelson () gmail com>
Date: Thu, 22 Sep 2005 13:02:48 -0400
-----Original Message----- Subject: [fw-wiz] Different Authentication For vpngroups On PIX
Currently we have a PIX 515E with a vpngroup setup to use AAA via. radius. What I'm trying to do is create a second vpngroup that doesn't
use AAA (yes, I > know what I'm doing and have valid reasons ;) ). What's happening is that when I take > out my line crypto map line of:
crypto map outside_map client authentication freeradius and add the following lines to my vpngroup I want to authenticate: vpngroup myauthgroup authentication-server freeradius vpngroup myauthgroup user-authentication people in myauthgroup are able to authenticate with no client
authentication. The
Cisco VPN client just let's them connect as long as their group password
is correct. Nope, vpngroup user-authentication is only for forcing individual per-IP authentication for clients behind a another PIX or VPN3K configured in client mode. I'm not sure you can even do what you propose. I think it's 1 crypto map per interface, 1 client auth method per crypto map until you get to PIX OS 7.x on the ASA class firewalls (where you set this up like a VPN3K). Either way, your crypto map must specify what type of client XAUTH it will use. If it doesn't specify, then no XAUTH is used and it only checks vpngroup/password to allow access. That's what's happening to you now. What might (but probably won't) work: aaa-server freeradius protocol radius aaa-server freeradius (inside) host 10.1.2.3 aaa-server localauth protocol local crypto map outside_map client authentication freeradius crypto map outside_map client authentication localauth Then set up your vpngroup as you normally would and use 'username' to add local user/pass pairs. But again, this probably won't work. PaulM _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Different Authentication For vpngroups On PIX Paul Melson (Oct 05)
- Re: Different Authentication For vpngroups On PIX Mike Bydalek (Oct 05)
- RE: Different Authentication For vpngroups On PIX Paul Melson (Oct 06)
- Re: Different Authentication For vpngroups On PIX Mike Bydalek (Oct 05)