Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

PIX 6.3 VPN different AAA authentication

Posted on 2009-04-14
9
611 Views
Last Modified: 2012-05-06
I would like to know if I can use differnt Radius servers to authenticate different vpngroups...
I'm trying eliminating the "crypto map outside_map client authentication VPN-DESA-PIX"
and using a

vpngroup vpn1 authentication-server VPN-PROD-PIX
vpngroup vpn2 authentication-server VPN-DESA-PIX

but it didn't work...

any idea???
0
Comment
Question by:mahe2000
  • 5
  • 4
9 Comments
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24144179
Sure.

aaa-server VPN-PROD-PIX protocol radius
aaa-server VPN-PROD-PIX max-failed-attempts 3
aaa-server VPN-PROD-PIX deadtime 10
aaa-server VPN-PROD-PIX (inside) host 10.1.1.100 timeout 10
aaa-server VPN-DESA-PIX protocol radius
aaa-server VPN-DESA-PIX max-failed-attempts 3
aaa-server VPN-DESA-PIX deadtime 10
aaa-server VPN-DESA-PIX (inside) host 10.2.2.100 timeout 10

vpngroup vpn1 authentication-server VPN-PROD-PIX
vpngroup vpn2 authentication-server VPN-DESA-PIX
0
 
LVL 3

Author Comment

by:mahe2000
ID: 24144230
I have already tried this but it didn't work this way... it keeps using the "crypto map ... authentication client..."
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24144280
Have you tried removing the "crypto map ... authentication client..." command?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 3

Author Comment

by:mahe2000
ID: 24144330
yes, but it only allows one authentication server and I need two differnt user databases...
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24147090
Just so we are clear.

You removed the crypto map auth command and added the two servers and binded them to the VPN group?

no crypto map outside_map client authentication VPN-DESA-PIX

aaa-server VPN-PROD-PIX protocol radius
aaa-server VPN-PROD-PIX max-failed-attempts 3
aaa-server VPN-PROD-PIX deadtime 10
aaa-server VPN-PROD-PIX (inside) host 10.1.1.100 timeout 10
aaa-server VPN-DESA-PIX protocol radius
aaa-server VPN-DESA-PIX max-failed-attempts 3
aaa-server VPN-DESA-PIX deadtime 10
aaa-server VPN-DESA-PIX (inside) host 10.2.2.100 timeout 10

vpngroup vpn1 authentication-server VPN-PROD-PIX
vpngroup vpn2 authentication-server VPN-DESA-PIX
0
 
LVL 3

Author Comment

by:mahe2000
ID: 24147138
if I remove the line
no crypto map outside_map client authentication VPN-DESA-PIX

no authentication is made. i don´t need to put a user and password in that case...
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24147177
Really?  Nice functionality.  Let me take a look at some things...
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 24147545
Okay, so the "vpngroup vpn1 authentication-server <group>" command is not for xauth authentication so it won't work.

This is a limitation of the 6.3 code on the PIX.  You can only have one auth group for your VPN.

"crypto map outside_map client authentication VPN-DESA-PIX".

Is it a PIX 501 or 506? or a 515/525/535?  If a 501, you might want to look into replacing it with an ASA 5505 so you can run the latest and greatest software which provides the auth group per VPN group functionality.  If you have a 515/525/535, you can upgrade to 7.x/8.x to enable this functionality.
0
 
LVL 3

Author Closing Comment

by:mahe2000
ID: 31570203
I get to the same conclusion... thank you very much for the effort!!!
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question