Configure PIX with VPN using Individual User Authentication

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View


I've a got a pix 515 setup for vpn client access using group
authentication.  I have a group name and password defined on the pix.
Clients are able to connect just find using the same shared group name
and password.  However, I've wanted to implement user authentication in
addtion to the group authentication.  I setup a radius server and have
run some radius tests (switched http auth for administering the pix to
point to the radius server...and it works fine.)  My VPN group is
configured as follows:

vpngroup myvpngroup address-pool vpn
vpngroup myvpngroup dns-server <my dns ip>
vpngroup myvpngroup default-domain <my domain name>
vpngroup myvpngroup idle-time 60000
vpngroup myvpngroup authentication-server RADIUS
vpngroup myvpngroup user-authentication
vpngroup myvpngroup password <my group pw>

Most recently I added these lines to try and get it to trigger user
auth:
vpngroup myvpngroup authentication-server RADIUS
vpngroup myvpngroup user-authentication

However, when I launch the vpn client from a windows machine, I never
get prompted to put in my individual user auth credentials.  It just
connects as usual with my vpngroup name/pw compbo.

Is there something else that needs to be done either on the pix side or
with the client to get the user auth to trigger?  

Thanks,

Jeff


Re: Configure PIX with VPN using Individual User Authentication


jeffrey_collins@hotmail.com wrote:
Quoted text here. Click to load it

the "user-authentication" part goes in the crypto map.  but you 1st must
define your radius server, then add it to crypto-map.

example:
aaa-server AD-IAS protocol radius
aaa-server AD-IAS (inside) host x.x.x.x password timeout 10
crypto map outside_map client authentication AD-IAS
crypto map outside_map interface outside

Site Timeline