Re: Cisco PIX with Cisco VPN client. Per user ACL using Radius

From: Anthony Pace (anthonypace@fastmail.fm)
Date: Fri Oct 22 2004 - 17:46:31 GMT-3

• Next message: James: "Re: DEBUG IP Packet on a CAT-3550????"
• Previous message: Anthony Pace: "Re: Cisco PIX with Cisco VPN client. Per user ACL using Radius"
• Maybe in reply to: Sam Munzani: "Cisco PIX with Cisco VPN client. Per user ACL using Radius"
• Next in thread: Sam Munzani: "Re: Cisco PIX with Cisco VPN client. Per user ACL using Radius"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Here is a config with a PIX authenticating MS PPTP users (on the
outside) via a MS Radius server (on the inside), the RADIUS
authentication would need to tweeked for the specific access and the
PPTP would need to be replaced with IPSEC:

!
!*****************************************************************
!*
!* PPTP SOFTWARE CLIENT WITH RADIUS
!*
!* RADIUS for PPTP SOFTWARE VPN
!* PIX needs RADIUS turned on for the Software VPN Client to work
!* (but RADIUS & TACACS are on by default)
!******************************************************************
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
!
!
!*****************************************************************
!* GLUE THE TAG "partnerauth" TO THE RADIUS SERVER
!******************************************************************
aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host 10.80.100.253 xxxxxxx timeout 5
!
!******************************************************************************************************
!* PPTP with RADIUS
!***************************************************************************************************
ip local pool ippool 10.13.1.1-10.13.1.254
!
sysopt connection permit-pptp
vpdn enable outside
!
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe auto
!****************************************************************************************
!* Here is where we glue the address pool to the PPTP clients with the
TAG "ippool"
!*****************************************************************************************
vpdn group 1 client configuration address local ippool
!
vpdn group 1 pptp echo 60
!*******************************************************************
!* Here is where we indicate that PPTP client authentication will be
offloaded to a
!* RADIUS server. The TAG "partnerauth" is glued to the RADIUS server
configured above
!**********************************************************************************
vpdn group 1 client authentication aaa partnerauth
!
!
!
Tony Pace CCIE-10349

On Fri, 22 Oct 2004 15:18:18 -0500, "Sam Munzani" <sam@munzani.com>
said:
> Does anybody have config sample of PIX vpn configuration for Cisco VPN
> client?
>
> I need to do an x-auth with RADIUS and based on user account, need to
> control what boxes they can access.
>
> Thanks,
> Sam
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

-- 
  Anthony Pace
  anthonypace@fastmail.fm

• Next message: James: "Re: DEBUG IP Packet on a CAT-3550????"
• Previous message: Anthony Pace: "Re: Cisco PIX with Cisco VPN client. Per user ACL using Radius"
• Maybe in reply to: Sam Munzani: "Cisco PIX with Cisco VPN client. Per user ACL using Radius"
• Next in thread: Sam Munzani: "Re: Cisco PIX with Cisco VPN client. Per user ACL using Radius"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Nov 06 2004 - 17:11:51 GMT-3