Different AAA servers for different vpn groups on Cisco PIX.

Posted on 2005-03-09
Medium Priority
Last Modified: 2013-11-16

A difficult one here for you experts :)

I want to start using tokens for a select group of vpn clients. All VPN authentication is done against my windows 2000 IAS server (radius). For tokens I use RSA/ACE Server which is installed on another server. I have 2 vpngroups (group ABC and group DEF) in my PIX config. What I want to do is make group ABC authenticate against the IAS server, and group DEF against the RSA server.

I don't think this can be done (after I tried everythnig). This is a breeze for the concentrator so I automatically assumed that it was also possible on the PIX; boy was I wrong, or was I? Anyone?
Question by:martap
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 79

Expert Comment

ID: 13499820
Using Cisco client or Microsoft client?

Author Comment

ID: 13499853

using the Cisco Client.
LVL 79

Expert Comment

ID: 13500088
Unfortunately, it appears that you can only assign one authentication method per crypto map.
However, you can use one authentication method for the Cisco VPN clients and different ones for multiple PPTP VPDN groups...

aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host mysecretkey timeout 10
aaa-server RSA protocol radius
aaa-server RSA (inside) host mysecretkey timeout 10
crypto map MAP client authentication RADIUS
vpdn group PPTP client authentication aaa RSA

aaa-server RSA2 protocol tacacs+
aaa-server RSA2 (inside) host mysecretkey timeout 10
vpdn group PPTP2 client authentication aaa RSA2
vpdn group PPTP3 client authentication aaa LOCAL

Accepted Solution

minmei earned 2000 total points
ID: 13505847
Can you get the Windows 2000 server upgraded to 2003? Reason is that 2003 IAS supports Connection Request Processing - a Microsoft name for a RADIUS proxy server.

This will allow you to point everything to 2003 IAS from PIX but then redirect authentications to the RSA server when appropriate.

Link at http://www.microsoft.com/resources/documentation/ WindowsServ/2003/standard/proddocs/en-us/sag_ias_crp_intro.asp


Author Comment

ID: 13529070

Fantastic, works like a charm, minmei...

I also tried your solution, lrmoore, but I couldn't get the tokens to work with PPTP. Did you ever see it work?

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question