Re: Cisco PIX with Cisco VPN client. Per user ACL using Radius

From: Sam Munzani (sam@munzani.com)
Date: Sun Oct 24 2004 - 00:14:48 GMT-3

• Next message: AK Singh: "Re: Multicast over NBMA"
• Previous message: Bob Sinclair: "Re: Multicast over NBMA"
• Maybe in reply to: Sam Munzani: "Cisco PIX with Cisco VPN client. Per user ACL using Radius"
• Next in thread: istong@stong.org: "Re: Cisco PIX with Cisco VPN client. Per user ACL using Radius"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Tony,

I appreciate the config however this is not what I need. I need Radius
to pass atributes to control what IPs that client can access. Your
config will do RADIUS authentication but doesn't control what boxes the
client has access to.

Thanks,
Sam

>Here is a config with a PIX authenticating MS PPTP users (on the
>outside) via a MS Radius server (on the inside), the RADIUS
>authentication would need to tweeked for the specific access and the
>PPTP would need to be replaced with IPSEC:
>
>!
>!*****************************************************************
>!*
>!* PPTP SOFTWARE CLIENT WITH RADIUS
>!*
>!* RADIUS for PPTP SOFTWARE VPN
>!* PIX needs RADIUS turned on for the Software VPN Client to work
>!* (but RADIUS & TACACS are on by default)
>!******************************************************************
>aaa-server TACACS+ protocol tacacs+
>aaa-server RADIUS protocol radius
>aaa-server LOCAL protocol local
>!
>!
>!*****************************************************************
>!* GLUE THE TAG "partnerauth" TO THE RADIUS SERVER
>!******************************************************************
>aaa-server partnerauth protocol radius
>aaa-server partnerauth (inside) host 10.80.100.253 xxxxxxx timeout 5
>!
>!******************************************************************************************************
>!* PPTP with RADIUS
>!***************************************************************************************************
>ip local pool ippool 10.13.1.1-10.13.1.254
>!
>sysopt connection permit-pptp
>vpdn enable outside
>!
>vpdn group 1 accept dialin pptp
>vpdn group 1 ppp authentication pap
>vpdn group 1 ppp authentication chap
>vpdn group 1 ppp authentication mschap
>vpdn group 1 ppp encryption mppe auto
>!****************************************************************************************
>!* Here is where we glue the address pool to the PPTP clients with the
>TAG "ippool"
>!*****************************************************************************************
>vpdn group 1 client configuration address local ippool
>!
>vpdn group 1 pptp echo 60
>!*******************************************************************
>!* Here is where we indicate that PPTP client authentication will be
>offloaded to a
>!* RADIUS server. The TAG "partnerauth" is glued to the RADIUS server
>configured above
>!**********************************************************************************
>vpdn group 1 client authentication aaa partnerauth
>!
>!
>!
>Tony Pace CCIE-10349
>
>
>
>On Fri, 22 Oct 2004 15:18:18 -0500, "Sam Munzani" <sam@munzani.com>
>said:
>
>
>>Does anybody have config sample of PIX vpn configuration for Cisco VPN
>>client?
>>
>>I need to do an x-auth with RADIUS and based on user account, need to
>>control what boxes they can access.
>>
>>Thanks,
>>Sam
>>
>>_______________________________________________________________________
>>Subscription information may be found at:
>>http://www.groupstudy.com/list/CCIELab.html

• Next message: AK Singh: "Re: Multicast over NBMA"
• Previous message: Bob Sinclair: "Re: Multicast over NBMA"
• Maybe in reply to: Sam Munzani: "Cisco PIX with Cisco VPN client. Per user ACL using Radius"
• Next in thread: istong@stong.org: "Re: Cisco PIX with Cisco VPN client. Per user ACL using Radius"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Nov 06 2004 - 17:11:52 GMT-3