• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 620
  • Last Modified:

PIX 6.3 VPN different AAA authentication

I would like to know if I can use differnt Radius servers to authenticate different vpngroups...
I'm trying eliminating the "crypto map outside_map client authentication VPN-DESA-PIX"
and using a

vpngroup vpn1 authentication-server VPN-PROD-PIX
vpngroup vpn2 authentication-server VPN-DESA-PIX

but it didn't work...

any idea???
0
mahe2000
Asked:
mahe2000
  • 5
  • 4
1 Solution
 
JFrederick29Commented:
Sure.

aaa-server VPN-PROD-PIX protocol radius
aaa-server VPN-PROD-PIX max-failed-attempts 3
aaa-server VPN-PROD-PIX deadtime 10
aaa-server VPN-PROD-PIX (inside) host 10.1.1.100 timeout 10
aaa-server VPN-DESA-PIX protocol radius
aaa-server VPN-DESA-PIX max-failed-attempts 3
aaa-server VPN-DESA-PIX deadtime 10
aaa-server VPN-DESA-PIX (inside) host 10.2.2.100 timeout 10

vpngroup vpn1 authentication-server VPN-PROD-PIX
vpngroup vpn2 authentication-server VPN-DESA-PIX
0
 
mahe2000Author Commented:
I have already tried this but it didn't work this way... it keeps using the "crypto map ... authentication client..."
0
 
JFrederick29Commented:
Have you tried removing the "crypto map ... authentication client..." command?
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
mahe2000Author Commented:
yes, but it only allows one authentication server and I need two differnt user databases...
0
 
JFrederick29Commented:
Just so we are clear.

You removed the crypto map auth command and added the two servers and binded them to the VPN group?

no crypto map outside_map client authentication VPN-DESA-PIX

aaa-server VPN-PROD-PIX protocol radius
aaa-server VPN-PROD-PIX max-failed-attempts 3
aaa-server VPN-PROD-PIX deadtime 10
aaa-server VPN-PROD-PIX (inside) host 10.1.1.100 timeout 10
aaa-server VPN-DESA-PIX protocol radius
aaa-server VPN-DESA-PIX max-failed-attempts 3
aaa-server VPN-DESA-PIX deadtime 10
aaa-server VPN-DESA-PIX (inside) host 10.2.2.100 timeout 10

vpngroup vpn1 authentication-server VPN-PROD-PIX
vpngroup vpn2 authentication-server VPN-DESA-PIX
0
 
mahe2000Author Commented:
if I remove the line
no crypto map outside_map client authentication VPN-DESA-PIX

no authentication is made. i donĀ“t need to put a user and password in that case...
0
 
JFrederick29Commented:
Really?  Nice functionality.  Let me take a look at some things...
0
 
JFrederick29Commented:
Okay, so the "vpngroup vpn1 authentication-server <group>" command is not for xauth authentication so it won't work.

This is a limitation of the 6.3 code on the PIX.  You can only have one auth group for your VPN.

"crypto map outside_map client authentication VPN-DESA-PIX".

Is it a PIX 501 or 506? or a 515/525/535?  If a 501, you might want to look into replacing it with an ASA 5505 so you can run the latest and greatest software which provides the auth group per VPN group functionality.  If you have a 515/525/535, you can upgrade to 7.x/8.x to enable this functionality.
0
 
mahe2000Author Commented:
I get to the same conclusion... thank you very much for the effort!!!
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now