Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Different AAA servers for different vpn groups on Cisco PIX.

Posted on 2005-03-09
5
Medium Priority
?
505 Views
Last Modified: 2013-11-16

A difficult one here for you experts :)

I want to start using tokens for a select group of vpn clients. All VPN authentication is done against my windows 2000 IAS server (radius). For tokens I use RSA/ACE Server which is installed on another server. I have 2 vpngroups (group ABC and group DEF) in my PIX config. What I want to do is make group ABC authenticate against the IAS server, and group DEF against the RSA server.

I don't think this can be done (after I tried everythnig). This is a breeze for the concentrator so I automatically assumed that it was also possible on the PIX; boy was I wrong, or was I? Anyone?
0
Comment
Question by:martap
  • 2
  • 2
5 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 13499820
Using Cisco client or Microsoft client?
0
 
LVL 5

Author Comment

by:martap
ID: 13499853

using the Cisco Client.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13500088
Unfortunately, it appears that you can only assign one authentication method per crypto map.
However, you can use one authentication method for the Cisco VPN clients and different ones for multiple PPTP VPDN groups...

aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.122.150 mysecretkey timeout 10
aaa-server RSA protocol radius
aaa-server RSA (inside) host 192.168.122.149 mysecretkey timeout 10
!
crypto map MAP client authentication RADIUS
!
vpdn group PPTP client authentication aaa RSA

!
aaa-server RSA2 protocol tacacs+
aaa-server RSA2 (inside) host 192.168.122.148 mysecretkey timeout 10
vpdn group PPTP2 client authentication aaa RSA2
vpdn group PPTP3 client authentication aaa LOCAL
0
 
LVL 7

Accepted Solution

by:
minmei earned 2000 total points
ID: 13505847
Can you get the Windows 2000 server upgraded to 2003? Reason is that 2003 IAS supports Connection Request Processing - a Microsoft name for a RADIUS proxy server.

This will allow you to point everything to 2003 IAS from PIX but then redirect authentications to the RSA server when appropriate.

Link at http://www.microsoft.com/resources/documentation/ WindowsServ/2003/standard/proddocs/en-us/sag_ias_crp_intro.asp

HTH
0
 
LVL 5

Author Comment

by:martap
ID: 13529070

Fantastic, works like a charm, minmei...

I also tried your solution, lrmoore, but I couldn't get the tokens to work with PPTP. Did you ever see it work?
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

572 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question