Solved

Remote Access VPN with Radius

Posted on 2007-03-29
1
426 Views
Last Modified: 2010-08-05
I have cisco pix 515E with v6.3. I want to setp Remote access VPN with Radius authentication. Pix is already configured to access our Mail server and some apllication servers from internet. I want to enable authentication only for VPN tunneled users without effecting the static maping of mail and other application servers.  The following is the configuration i prepared for remote access VPN. Can any one help me to add Radius authentication to my configuration and please correct the configuration if any mistakes is there.

access-list vpn permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0
ip local pool vpnpool 192.168.20.1.1-192.168.20.254

nat (inside) 0 access-list vpn

sysopt connection permit-ipsec

crypto ipsec transform-set esp_aes256_sha esp-aes-256 esp-sha-hmac

crypto dynamic-map dynamic_out 100 set transform-set esp_aes256_sha
crypto map out_map 30 ipsec-isakmp dynamic dynamic_out
crypto map out_map interface outside

isakmp enable outside
isakmp identity address

isakmp policy 5 authentication pre-share
isakmp policy 5 encryption aes-256
isakmp policy 5 hash sha
isakmp policy 5 group 2
isakmp policy 5 lifetime 1800

vpngroup myvpn address-pool vpnpool
vpngroup myvpn dns-server 192.168.1.xx
vpngroup myvpn wins-server 192.168.xx
vpngroup myvpn split-tunnel vpn
vpngroup myvpn idle-time 1200
vpngroup myvpn password  xxxxx

Thanks in advance
0
Comment
Question by:manuitpro
1 Comment
 
LVL 10

Accepted Solution

by:
Sorenson earned 250 total points
ID: 18815598
add the lines:
!
aaa-server xxxxx protocol radius
aaa-server xxxxx max-failed-attempts 3
aaa-server xxxxx deadtime 10
aaa-server xxxxx (inside) host ip.ip.ip.ip password  timeout 5
!
! (where xxxxx is the name of your radius server.  ip.ip.ip.ip is the ip address and password is the radius shared secret)

then add:
!
crypto map out_map client authentication xxxxx
!

Be careful if you have any site to site vpns, you will need to be sure that the isakmp key statements have "no-xauth" after the netmask to prevent them from trying to use any other type of authentication

!
if you are using win2k or 2k3 for the radius server, check out this page:  
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml


0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

There are many useful and sometimes not well documented or forgotten IOS or ASA/PIX commands. See IPE article here , there was also one on PacketU and on Cisco Tips & Tricks. Below are my favorites. I give also a few most often used for Cisco IPS an…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question