I have Pix with a connection ipsec for my clients of Cisco VPN. The validation in by Radius IAS and one vpngroup.
Who I can have two vpngroup's, that group A validate by radius_A (for example Microsoft IAS), and group B validade by radius_B (for example FreeRadius) ??
Or, I must create two crypto maps with two IPs publics ??
You can have as many groups (I think there is a max of 254 VPN groups) as you want pointing to any amount of servers, local, radius, NT etc all on the same interface. If you are looking for redundancy for the auth server you can have the 2 servers in the same group, if the first doesn't respond it will go to the second.
I have:
aaa-server ias protocol radius aaa-server radius_a (inside) host 10.1.2.14 12345 timeout 5 ... crypto ipsec transform-set myset esp-null esp-md5-hmac crypto dynamic-map dynmap 10 set transform-set myset crypto map mymap 10 ipsec-isakmp dynamic dynmap crypto map mymap client configuration address initiate crypto map mymap client configuration address respond crypto map mymap client authentication radius_a crypto map mymap interface outside ... vpngroup rrr address-pool pool-vpn vpngroup rrr dns-server 10.1.2.14 10.1.2.12 vpngroup rrr default-domain xxxx.com vpngroup rrr split-tunnel nonat vpngroup rrr idle-time 10800 vpngroup rrr password ********
I would like two groups for two diferent radius (not backups), but this code not run:
aaa-server radius_a (inside) host 10.1.2.14 12345 timeout 5 aaa-server radius_b (inside) host 10.1.2.17 12345 timeout 5 ... crypto ipsec transform-set myset esp-null esp-md5-hmac crypto dynamic-map dynmap 10 set transform-set myset crypto map mymap 10 ipsec-isakmp dynamic dynmap crypto map mymap interface outside .. vpngroup rrr address-pool pool-vpn vpngroup rrr dns-server 10.1.2.14 10.1.2.12 vpngroup rrr default-domain lendan.com vpngroup rrr split-tunnel nonat vpngroup rrr idle-time 10800 vpngroup rrr secure-unit-authentication vpngroup rrr authentication-server radius_a vpngroup rrr user-authentication vpngroup rrr device-pass-through vpngroup rrr password ******** ... vpngroup ggg address-pool pool-vpn vpngroup ggg dns-server 10.1.2.14 10.1.2.12 vpngroup ggg default-domain lendan.com vpngroup ggg split-tunnel nonat vpngroup ggg idle-time 10800 vpngroup ggg secure-unit-authentication vpngroup ggg authentication-server radius_b vpngroup ggg user-authentication vpngroup ggg device-pass-through vpngroup ggg password ********
Any ideas???
You need to create the second radius group.
aaa-server radius_a protocol radius aaa-server radius_a (inside) host 10.1.2.14 12345 timeout 5
aaa-server radius_b protocol radius aaa-server radius_b (inside) host 10.1.2.17 12345 timeout 5
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.