Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Remote Access VPN with Radius

Posted on 2007-03-29
1
424 Views
Last Modified: 2010-08-05
I have cisco pix 515E with v6.3. I want to setp Remote access VPN with Radius authentication. Pix is already configured to access our Mail server and some apllication servers from internet. I want to enable authentication only for VPN tunneled users without effecting the static maping of mail and other application servers.  The following is the configuration i prepared for remote access VPN. Can any one help me to add Radius authentication to my configuration and please correct the configuration if any mistakes is there.

access-list vpn permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0
ip local pool vpnpool 192.168.20.1.1-192.168.20.254

nat (inside) 0 access-list vpn

sysopt connection permit-ipsec

crypto ipsec transform-set esp_aes256_sha esp-aes-256 esp-sha-hmac

crypto dynamic-map dynamic_out 100 set transform-set esp_aes256_sha
crypto map out_map 30 ipsec-isakmp dynamic dynamic_out
crypto map out_map interface outside

isakmp enable outside
isakmp identity address

isakmp policy 5 authentication pre-share
isakmp policy 5 encryption aes-256
isakmp policy 5 hash sha
isakmp policy 5 group 2
isakmp policy 5 lifetime 1800

vpngroup myvpn address-pool vpnpool
vpngroup myvpn dns-server 192.168.1.xx
vpngroup myvpn wins-server 192.168.xx
vpngroup myvpn split-tunnel vpn
vpngroup myvpn idle-time 1200
vpngroup myvpn password  xxxxx

Thanks in advance
0
Comment
Question by:manuitpro
1 Comment
 
LVL 10

Accepted Solution

by:
Sorenson earned 250 total points
ID: 18815598
add the lines:
!
aaa-server xxxxx protocol radius
aaa-server xxxxx max-failed-attempts 3
aaa-server xxxxx deadtime 10
aaa-server xxxxx (inside) host ip.ip.ip.ip password  timeout 5
!
! (where xxxxx is the name of your radius server.  ip.ip.ip.ip is the ip address and password is the radius shared secret)

then add:
!
crypto map out_map client authentication xxxxx
!

Be careful if you have any site to site vpns, you will need to be sure that the isakmp key statements have "no-xauth" after the netmask to prevent them from trying to use any other type of authentication

!
if you are using win2k or 2k3 for the radius server, check out this page:  
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml


0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question