[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 440
  • Last Modified:

Remote Access VPN with Radius

I have cisco pix 515E with v6.3. I want to setp Remote access VPN with Radius authentication. Pix is already configured to access our Mail server and some apllication servers from internet. I want to enable authentication only for VPN tunneled users without effecting the static maping of mail and other application servers.  The following is the configuration i prepared for remote access VPN. Can any one help me to add Radius authentication to my configuration and please correct the configuration if any mistakes is there.

access-list vpn permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0
ip local pool vpnpool 192.168.20.1.1-192.168.20.254

nat (inside) 0 access-list vpn

sysopt connection permit-ipsec

crypto ipsec transform-set esp_aes256_sha esp-aes-256 esp-sha-hmac

crypto dynamic-map dynamic_out 100 set transform-set esp_aes256_sha
crypto map out_map 30 ipsec-isakmp dynamic dynamic_out
crypto map out_map interface outside

isakmp enable outside
isakmp identity address

isakmp policy 5 authentication pre-share
isakmp policy 5 encryption aes-256
isakmp policy 5 hash sha
isakmp policy 5 group 2
isakmp policy 5 lifetime 1800

vpngroup myvpn address-pool vpnpool
vpngroup myvpn dns-server 192.168.1.xx
vpngroup myvpn wins-server 192.168.xx
vpngroup myvpn split-tunnel vpn
vpngroup myvpn idle-time 1200
vpngroup myvpn password  xxxxx

Thanks in advance
0
manuitpro
Asked:
manuitpro
1 Solution
 
SorensonCommented:
add the lines:
!
aaa-server xxxxx protocol radius
aaa-server xxxxx max-failed-attempts 3
aaa-server xxxxx deadtime 10
aaa-server xxxxx (inside) host ip.ip.ip.ip password  timeout 5
!
! (where xxxxx is the name of your radius server.  ip.ip.ip.ip is the ip address and password is the radius shared secret)

then add:
!
crypto map out_map client authentication xxxxx
!

Be careful if you have any site to site vpns, you will need to be sure that the isakmp key statements have "no-xauth" after the netmask to prevent them from trying to use any other type of authentication

!
if you are using win2k or 2k3 for the radius server, check out this page:  
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml


0

Featured Post

[Webinar] Kill tickets & tabs using PowerShell

Are you tired of cycling through the same browser tabs everyday to close the same repetitive tickets? In this webinar JumpCloud will show how you can leverage RESTful APIs to build your own PowerShell modules to kill tickets & tabs using the PowerShell command Invoke-RestMethod.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now