Solved

vpngroups

Posted on 2008-06-19
4
539 Views
Last Modified: 2013-11-16
I have created a vpngroup on my pix and now I am trying to configure it to authenticate to our domain controller. I have tried the command "vpngroup DTVPN authentication-server <IP address>", but it keeps telling me invalid server_tag.....

vpngroup <group_name> password <preshared_key>
        vpngroup <group_name> address-pool <pool_name>
        vpngroup <group_name> dns-server <dns_ip_prim> [<dns_ip_sec>]
        vpngroup <group_name> wins-server <wins_ip_prim> [<wins_ip_sec>]
        vpngroup <group_name> default-domain <domain_name>
        vpngroup <group_name> split-tunnel <access_list>
        vpngroup <group_name> split-dns domain_name1 [domain_name2 ... domain_name8]
        vpngroup <group_name> backup-server {{<ip1> [<ip2> ... <ip10>]} | clear-client-cfg}
        vpngroup <group_name> pfs
        vpngroup <group_name> idle-time <idle_seconds>
        vpngroup <group_name> max-time <max_seconds>
        vpngroup <group_name> secure-unit-authentication
        vpngroup <group_name> authentication-server <server_tag>
        vpngroup <group_name> user-authentication
        vpngroup <group_name> user-idle-timeout <user_idle_seconds>
        vpngroup <group_name> device-pass-through
0
Comment
Question by:dtadmin
  • 2
  • 2
4 Comments
 
LVL 19

Expert Comment

by:nodisco
ID: 21827156
hi

In using:
vpngroup DTVPN authentication-server <IP address>

the problem is that the last section (server tag) is not an ip address but an aaa server-tag.  e.g.

e.g.:
aaa-server server_tag [(if_name)] host server_ip [key] [timeout seconds]
aaa-server server_tag max-failed-attempts <number>
aaa-server server_tag protocol auth_protocol

That is what you need to match it up to - so if you have an aaa-server already listed, match the server tag to your vpngroup

hth
0
 

Author Comment

by:dtadmin
ID: 21830202
it is prompting me to designate a aaa-server protocol when I try to execute the aaa-server host ip command. The only protocols it lets me choose from is tacacs+ or radius. I want to configure this so I authenticate to my windows domain controller. I have a pix515 in production that is setup for a protocol of nt that points to our production domain controller, but I don't have that option on the 506. Any ideas.....
0
 
LVL 19

Expert Comment

by:nodisco
ID: 21842209
can you post the output of the 515?  We can work out why it won't happen on your 506

Also - post the output of the following from both PIXs
sh version

cheers
0
 

Accepted Solution

by:
dtadmin earned 0 total points
ID: 21847778
I will get those to you after I get back from the Cisco Live 2008 conference. Thanks!
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question