Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX remote access authentication

Status
Not open for further replies.
tb9999

tb9999

MIS
Sep 23, 2000
4
US
I have just inherited a corp network that uses a PIX 515e at each of three sites to create site-to-site VPN tunnels. This is working fine. I need to setup remote VPN access for individual users using the PIX at our main office.

Is it possible to use RADIUS to authenticate some remote users and also authenticate other remote users using just a VPN group name and password (i.e. the client authenticates using the group name and password, but the user is not prompted to enter in a name/password). It seems as if this is a one or the other proposition. When I enable authentication using RADIUS, the group authentication stops working. Can I do both simultaneously? If so, can anyone offer any help to get started? Thanks.
 
Sort by date Sort by votes
ok, maybe i'm missing something or maybe my original posting wasn't clear.

I have figured out how to enable AAA and to config the Radius server. The part I can't figure out is how to make AAA authentication co-exist with no user authentication. What I want to do is this:

1) I have one group of remote users that I want to be able to connect via VPN (called vpngroup1) that will authenticate using only the vpn group name and password. They will not be prompted to provide a user name and password.

2) A second group of users (called vpngroup2) will authenticate using both the vpn group name and password as well as their own username and password (authenticated by the radius server).

When I've tried to set this up, it seems that I can't make both authentication types work simultaneously. If I config to allow remote authentication using only the vpn group name and password, it works fine. As soon as I config to use Radius, all remote users are required to provide their user name and password, regardless of whether they are in vpngroup1 or vpngroup2.

Can this be done? If so, how do I link the authentication method to the vpn group?

Thanks in advance for any help.
 
Upvote 0 Downvote
The auth. method is "linked" to the Crypto map not the group

So I would take a chance and say that this cannot be done
I could be wrong... (any one out there know for sure!?)

Why don’t you want the auth. for the second group?

At that point someone would only have to get that .pcf file and import it in to their client and have access to your network

With the Radius you have 2 factor auth. Logging of username and time in the IAS Server event logs and centralized management of user access
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
999
Shmid
Shmid
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
764
nnaarrnn
nnaarrnn
xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
202
xwray
xwray
gbayi_omo
  • Locked
  • Question
Cisco ASA 5505 not allowing access to highest security zone
Replies
0
Views
214
gbayi_omo
gbayi_omo
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
257
brownmab53
brownmab53

Part and Inventory Search

Sponsor

Back
Top