From: istong@stong.org
Date: Sun Oct 24 2004 - 09:30:59 GMT-3
Hi Sam,
Wouldn't you use Radius to do the authentication and
authorization piece - ie controlling who can authenticate in
and where they can go.
Ian
www.ccie4u.com
CCIE Lab Rack Rentals and Lab Scenarios starting at $20
> Tony,
>
> I appreciate the config however this is not what I need. I
> need Radius to pass atributes to control what IPs that
> client can access. Your config will do RADIUS
> authentication but doesn't control what boxes the client
> has access to.
>
> Thanks,
> Sam
>
> >Here is a config with a PIX authenticating MS PPTP users
> (on the >outside) via a MS Radius server (on the inside),
> the RADIUS >authentication would need to tweeked for the
> specific access and the >PPTP would need to be replaced
> with IPSEC: >
> >!
> >!********************************************************
> ********* >!*
> >!* PPTP SOFTWARE CLIENT WITH RADIUS
> >!*
> >!* RADIUS for PPTP SOFTWARE VPN
> >!* PIX needs RADIUS turned on for the Software VPN
> Client to work >!* (but RADIUS & TACACS are on by
> default)
> >!********************************************************
> ********** >aaa-server TACACS+ protocol tacacs+
> >aaa-server RADIUS protocol radius
> >aaa-server LOCAL protocol local
> >!
> >!
> >!********************************************************
> ********* >!* GLUE THE TAG "partnerauth" TO THE RADIUS
> SERVER
> >!********************************************************
> ********** >aaa-server partnerauth protocol radius
> >aaa-server partnerauth (inside) host 10.80.100.253
> xxxxxxx timeout 5 >!
> >!********************************************************
> ********************************************** >!* PPTP
> with RADIUS
> >!********************************************************
> ******************************************* >ip local pool
> ippool 10.13.1.1-10.13.1.254 >!
> >sysopt connection permit-pptp
> >vpdn enable outside
> >!
> >vpdn group 1 accept dialin pptp
> >vpdn group 1 ppp authentication pap
> >vpdn group 1 ppp authentication chap
> >vpdn group 1 ppp authentication mschap
> >vpdn group 1 ppp encryption mppe auto
> >!********************************************************
> ******************************** >!* Here is where we glue
> the address pool to the PPTP clients with the >TAG
> "ippool"
> >!********************************************************
> ********************************* >vpdn group 1 client
> configuration address local ippool >!
> >vpdn group 1 pptp echo 60
> >!********************************************************
> *********** >!* Here is where we indicate that PPTP client
> authentication will be >offloaded to a
> >!* RADIUS server. The TAG "partnerauth" is glued to the
> RADIUS server >configured above
> >!********************************************************
> ************************** >vpdn group 1 client
> authentication aaa partnerauth >!
> >!
> >!
> >Tony Pace CCIE-10349
> >
> >
> >
> >On Fri, 22 Oct 2004 15:18:18 -0500, "Sam Munzani"
> <sam@munzani.com> >said:
> >
> >
> >>Does anybody have config sample of PIX vpn configuration
> for Cisco VPN >>client?
> >>
> >>I need to do an x-auth with RADIUS and based on user
> account, need to >>control what boxes they can access.
> >>
> >>Thanks,
> >>Sam
> >>
> >>________________________________________________________
> _______________ >>Subscription information may be found
> at: >>http://www.groupstudy.com/list/CCIELab.html
>
> __________________________________________________________
> _____________ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
______________________________________________
Check Your Email From Any Where in the World!
Tell Your Friends about MyEmail.com!
______________________________________________
This archive was generated by hypermail 2.1.4 : Sat Nov 06 2004 - 17:11:52 GMT-3