Re: Cisco PIX with Cisco VPN client. Per user ACL using Radius

From: Sam Munzani (sam@munzani.com)
Date: Mon Oct 25 2004 - 12:36:46 GMT-3

• Next message: Scott Morris: "RE: New CCIE Track"
• Previous message: joshua lauer: "Re: New CCIE Track"
• Maybe in reply to: Sam Munzani: "Cisco PIX with Cisco VPN client. Per user ACL using Radius"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Ian,

AAA is different thing than doing X-Auth with it. AAA is only for the
management of the PIX it self. I want to use RADIUS for X-Auth of VPN
clients and controlling what they have access for.

Currently you can achieve it by defining different vpngroup and
associating different Split Tunnel ACL to it. However the config looks
ugly as they are so many groups defined. Achieving same with Radius
using radius attribues would be the perfect thing to do.

Thanks,
Sam

>Hi Sam,
>
>Wouldn't you use Radius to do the authentication and
>authorization piece - ie controlling who can authenticate in
>and where they can go.
>
>
>Ian
>www.ccie4u.com
>CCIE Lab Rack Rentals and Lab Scenarios starting at $20
>
>
>
>
>>Tony,
>>
>>I appreciate the config however this is not what I need. I
>>need Radius to pass atributes to control what IPs that
>>client can access. Your config will do RADIUS
>>authentication but doesn't control what boxes the client
>>has access to.
>>
>>Thanks,
>>Sam
>>
>>
>>
>>>Here is a config with a PIX authenticating MS PPTP users
>>>
>>>
>>(on the >outside) via a MS Radius server (on the inside),
>>the RADIUS >authentication would need to tweeked for the
>>specific access and the >PPTP would need to be replaced
>>with IPSEC: >
>>
>>
>>>!
>>>!********************************************************
>>>
>>>
>>********* >!*
>>
>>
>>>!* PPTP SOFTWARE CLIENT WITH RADIUS
>>>!*
>>>!* RADIUS for PPTP SOFTWARE VPN
>>>!* PIX needs RADIUS turned on for the Software VPN
>>>
>>>
>>Client to work >!* (but RADIUS & TACACS are on by
>>default)
>>
>>
>>>!********************************************************
>>>
>>>
>>********** >aaa-server TACACS+ protocol tacacs+
>>
>>
>>>aaa-server RADIUS protocol radius
>>>aaa-server LOCAL protocol local
>>>!
>>>!
>>>!********************************************************
>>>
>>>
>>********* >!* GLUE THE TAG "partnerauth" TO THE RADIUS
>>SERVER
>>
>>
>>>!********************************************************
>>>
>>>
>>********** >aaa-server partnerauth protocol radius
>>
>>
>>>aaa-server partnerauth (inside) host 10.80.100.253
>>>
>>>
>>xxxxxxx timeout 5 >!
>>
>>
>>>!********************************************************
>>>
>>>
>>********************************************** >!* PPTP
>>with RADIUS
>>
>>
>>>!********************************************************
>>>
>>>
>>******************************************* >ip local pool
>>ippool 10.13.1.1-10.13.1.254 >!
>>
>>
>>>sysopt connection permit-pptp
>>>vpdn enable outside
>>>!
>>>vpdn group 1 accept dialin pptp
>>>vpdn group 1 ppp authentication pap
>>>vpdn group 1 ppp authentication chap
>>>vpdn group 1 ppp authentication mschap
>>>vpdn group 1 ppp encryption mppe auto
>>>!********************************************************
>>>
>>>
>>******************************** >!* Here is where we glue
>>the address pool to the PPTP clients with the >TAG
>>"ippool"
>>
>>
>>>!********************************************************
>>>
>>>
>>********************************* >vpdn group 1 client
>>configuration address local ippool >!
>>
>>
>>>vpdn group 1 pptp echo 60
>>>!********************************************************
>>>
>>>
>>*********** >!* Here is where we indicate that PPTP client
>>authentication will be >offloaded to a
>>
>>
>>>!* RADIUS server. The TAG "partnerauth" is glued to the
>>>
>>>
>>RADIUS server >configured above
>>
>>
>>>!********************************************************
>>>
>>>
>>************************** >vpdn group 1 client
>>authentication aaa partnerauth >!
>>
>>
>>>!
>>>!
>>>Tony Pace CCIE-10349
>>>
>>>
>>>
>>>On Fri, 22 Oct 2004 15:18:18 -0500, "Sam Munzani"
>>>
>>>
>><sam@munzani.com> >said:
>>
>>
>>>
>>>
>>>
>>>
>>>>Does anybody have config sample of PIX vpn configuration
>>>>
>>>>
>>for Cisco VPN >>client?
>>
>>
>>>>I need to do an x-auth with RADIUS and based on user
>>>>
>>>>
>>account, need to >>control what boxes they can access.
>>
>>
>>>>Thanks,
>>>>Sam
>>>>
>>>>________________________________________________________
>>>>
>>>>
>>_______________ >>Subscription information may be found
>>at: >>http://www.groupstudy.com/list/CCIELab.html
>>
>>__________________________________________________________
>>_____________ Subscription information may be found at:
>>http://www.groupstudy.com/list/CCIELab.html
>>
>>
>______________________________________________
>
>Check Your Email From Any Where in the World!
>
>http://www.myemail.com
>
>Tell Your Friends about MyEmail.com!
>______________________________________________
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html

• Next message: Scott Morris: "RE: New CCIE Track"
• Previous message: joshua lauer: "Re: New CCIE Track"
• Maybe in reply to: Sam Munzani: "Cisco PIX with Cisco VPN client. Per user ACL using Radius"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Nov 06 2004 - 17:11:52 GMT-3