Solved

Remove Radius from Pix

Posted on 2006-06-26
7
844 Views
Last Modified: 2012-06-21
Hey guys i am trying to remove radius from the VPN so we will not have to use it anymore in this particular network.
Our Cisco guy is on a leave aof adsense so of course i am now having to learn Cisco which i think is great.
Could i trouble someone for some help to remove Radius
This is aaa-server lines out of the pix
Thanks a million in advance
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server vpnauth protocol radius
aaa-server vpnauth max-failed-attempts 3
aaa-server vpnauth deadtime 10
aaa-server vpnauth (inside) host 192.168.2.11 nic31ne timeout 10
0
Comment
Question by:jjeffords
7 Comments
 
LVL 13

Expert Comment

by:prashsax
Comment Utility
You just can't remove Radius that easy.

Since you VPN authentication is happening using Radius, you need to re-configure you VPN, to use local user authentication.

Then you can safely remove the Radius authentication.

0
 

Author Comment

by:jjeffords
Comment Utility
How would i do that. Here is the config
 vpngroup randypack address-pool remote
vpngroup randypack dns-server 192.168.2.11
vpngroup randypack wins-server 192.168.2.11
vpngroup randypack default-domain victory2004
vpngroup randypack idle-time 1800
vpngroup randypack password ********
vpngroup salvpn address-pool remote
vpngroup salvpn dns-server 192.168.2.11
vpngroup salvpn wins-server 192.168.2.11
vpngroup salvpn default-domain victory2004
vpngroup salvpn split-tunnel salvpn_splitTunnelAcl
vpngroup salvpn split-dns victory2004
vpngroup salvpn idle-time 1800
vpngroup salvpn password ********
0
 

Author Comment

by:jjeffords
Comment Utility
Better yet here is the whole config

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ************ encrypted
passwd *********** encrypted
hostname pixfirewall
domain-name azdebate.com
no fixup protocol dns
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_outbound_nat0_acl permit ip 192.168.2.0 255.255.254.0 192.168.88.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 192.168.88.0 255.255.255.0
access-list in2 permit ip any any
access-list office_splitTunnelAcl permit ip 192.168.2.0 255.255.254.0 any
access-list outside_cryptomap_dyn_40 permit ip any 192.168.88.0 255.255.255.0
access-list red2 permit ip 198.92.103.112 255.255.255.240 any
access-list red2 permit ip 72.236.70.48 255.255.255.240 any
access-list red2 permit icmp any any echo-reply
access-list red2 permit tcp any host 72.236.70.60 eq 3389
access-list red2 permit tcp any host 72.236.70.58 eq smtp
access-list red2 permit tcp any host 72.236.70.59 eq www
access-list red2 permit tcp any host 72.236.70.59 eq https
access-list outside_cryptomap_dyn_60 permit ip any 192.168.88.0 255.255.255.0
access-list salvpn_splitTunnelAcl permit ip 192.168.2.0 255.255.255.0 any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 72.236.70.60 255.255.255.240
ip address inside 192.168.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool remote 192.168.88.1-192.168.88.254
pdm location 192.168.2.0 255.255.254.0 inside
pdm location 198.92.103.112 255.255.255.240 outside
pdm location 72.236.70.48 255.255.255.240 outside
pdm location 0.0.0.0 0.0.0.0 inside
pdm location 192.168.1.0 255.255.255.0 inside
pdm location 192.168.2.11 255.255.255.255 inside
pdm location 192.168.2.12 255.255.255.255 inside
pdm location 192.168.2.25 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 192.168.2.25 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 6013 192.168.2.13 3389 netmask 255.255.255.255 0 0
static (inside,outside) 72.236.70.59 192.168.2.11 dns netmask 255.255.255.255 0 0
static (inside,outside) 72.236.70.58 192.168.2.12 dns netmask 255.255.255.255 0 0
access-group red2 in interface outside
access-group in2 in interface inside
route outside 0.0.0.0 0.0.0.0 72.236.70.49 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server vpnauth protocol radius
aaa-server vpnauth max-failed-attempts 3
aaa-server vpnauth deadtime 10
aaa-server vpnauth (inside) host 192.168.2.11 nic31ne timeout 10
http server enable
http 198.92.103.112 255.255.255.240 outside
http 72.236.70.48 255.255.255.240 outside
http 192.168.1.0 255.255.255.0 inside
http 192.168.2.0 255.255.254.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication vpnauth
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup randypack address-pool remote
vpngroup randypack dns-server 192.168.2.11
vpngroup randypack wins-server 192.168.2.11
vpngroup randypack default-domain victory2004
vpngroup randypack idle-time 1800
vpngroup randypack password ********
vpngroup salvpn address-pool remote
vpngroup salvpn dns-server 192.168.2.11
vpngroup salvpn wins-server 192.168.2.11
vpngroup salvpn default-domain victory2004
vpngroup salvpn split-tunnel salvpn_splitTunnelAcl
vpngroup salvpn split-dns victory2004
vpngroup salvpn idle-time 1800
vpngroup salvpn password ********
telnet timeout 5
ssh 198.92.103.112 255.255.255.240 outside
ssh 72.236.70.48 255.255.255.240 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
management-access inside
console timeout 0
dhcpd address 192.168.2.90-192.168.2.100 inside
dhcpd dns 192.168.2.11
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Just simply removet this line:
 >crypto map outside_map client authentication vpnauth

The client will no longer ask for a secondary username/password for authentication, it will use just the VPN Group and vpngroup password

You can put it back any time and all the other Radius stuff will still be there.
0
 
LVL 10

Expert Comment

by:naveedb
Comment Utility
What do you plan to do with the authentication after removing radius?

You have few options; you can remove it all, this will require you to create local users and password.

Or you can remove it and just use the Groupname /password for VPN authentication.
0
 

Author Comment

by:jjeffords
Comment Utility
Well basically they are going to just connect using the Cisco Client but we didnt want the second authentication to be required. It was for a campaign and it is now over so it went from like 100 people connecting to 3 and they want it gone.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
Comment Utility

no crypto map outside_map client authentication vpnauth
crypto map outside_map interface outside

Done !
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Join & Write a Comment

What’s a web proxy server? A proxy server is a server that goes between clients and web servers, used in corporate to enforce corporate browsing policy and ensure security. Proxy servers are commonly used in three modes. A)    Forward proxy …
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now