dtadmin
asked on
vpngroups
I have created a vpngroup on my pix and now I am trying to configure it to authenticate to our domain controller. I have tried the command "vpngroup DTVPN authentication-server <IP address>", but it keeps telling me invalid server_tag.....
vpngroup <group_name> password <preshared_key>
vpngroup <group_name> address-pool <pool_name>
vpngroup <group_name> dns-server <dns_ip_prim> [<dns_ip_sec>]
vpngroup <group_name> wins-server <wins_ip_prim> [<wins_ip_sec>]
vpngroup <group_name> default-domain <domain_name>
vpngroup <group_name> split-tunnel <access_list>
vpngroup <group_name> split-dns domain_name1 [domain_name2 ... domain_name8]
vpngroup <group_name> backup-server {{<ip1> [<ip2> ... <ip10>]} | clear-client-cfg}
vpngroup <group_name> pfs
vpngroup <group_name> idle-time <idle_seconds>
vpngroup <group_name> max-time <max_seconds>
vpngroup <group_name> secure-unit-authentication
vpngroup <group_name> authentication-server <server_tag>
vpngroup <group_name> user-authentication
vpngroup <group_name> user-idle-timeout <user_idle_seconds>
vpngroup <group_name> device-pass-through
vpngroup <group_name> password <preshared_key>
vpngroup <group_name> address-pool <pool_name>
vpngroup <group_name> dns-server <dns_ip_prim> [<dns_ip_sec>]
vpngroup <group_name> wins-server <wins_ip_prim> [<wins_ip_sec>]
vpngroup <group_name> default-domain <domain_name>
vpngroup <group_name> split-tunnel <access_list>
vpngroup <group_name> split-dns domain_name1 [domain_name2 ... domain_name8]
vpngroup <group_name> backup-server {{<ip1> [<ip2> ... <ip10>]} | clear-client-cfg}
vpngroup <group_name> pfs
vpngroup <group_name> idle-time <idle_seconds>
vpngroup <group_name> max-time <max_seconds>
vpngroup <group_name> secure-unit-authentication
vpngroup <group_name> authentication-server <server_tag>
vpngroup <group_name> user-authentication
vpngroup <group_name> user-idle-timeout <user_idle_seconds>
vpngroup <group_name> device-pass-through
ASKER
it is prompting me to designate a aaa-server protocol when I try to execute the aaa-server host ip command. The only protocols it lets me choose from is tacacs+ or radius. I want to configure this so I authenticate to my windows domain controller. I have a pix515 in production that is setup for a protocol of nt that points to our production domain controller, but I don't have that option on the 506. Any ideas.....
can you post the output of the 515? We can work out why it won't happen on your 506
Also - post the output of the following from both PIXs
sh version
cheers
Also - post the output of the following from both PIXs
sh version
cheers
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
In using:
vpngroup DTVPN authentication-server <IP address>
the problem is that the last section (server tag) is not an ip address but an aaa server-tag. e.g.
e.g.:
aaa-server server_tag [(if_name)] host server_ip [key] [timeout seconds]
aaa-server server_tag max-failed-attempts <number>
aaa-server server_tag protocol auth_protocol
That is what you need to match it up to - so if you have an aaa-server already listed, match the server tag to your vpngroup
hth