Radius Attributes?

[cchipman]

I've got a PIX 506 and a Microsoft IAS server running inside of it which I'm currently using for Authentication of VPDN logons. Currently, any domain user is allow VPN access.

I also want to use the Radius server to allow domain admins to use the console of the PIX. However, I can find now way of distinguishing between the two validation attempts except by the fact that the console authentication comes in on PAP and the VPDN's come in with MSCHAP and CHAP.

Are there anyway to get the pix to send some of the extended attributes (e.g. service type) to the Radius server?

 

[bell1996]

Several months ago, I helped someone else setup their PIX to authenticate to a IAS server. Below are the relavent commands needed for the PIX.

aaa-server radius-authport 1812
aaa-server radius-acctport 1813
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server CONFIRM protocol radius
aaa-server CONFIRM (inside) host <IP address of server> <key> timeout 10
aaa authentication include tcp/0 inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 CONFIRM

auth-prompt prompt Please enter you Domain Username and Password
auth-prompt accept Authentication Confirmed. Thank You
auth-prompt reject Sorry. But your User-Password is not authorized for Internet Access

Next make sure the PIX is setup as a client under the IAS server. Just add the PIX as a client and make sure you have the same key as you entered in the PIX config.