PIX515 6.3.3

site-to-site VPN and vpn clients for mobile users works fine.


Problem :
I would like use aaa-server (IAS radius). And I would like use it ONLY
for mobile users (cisco vpn client) - I do not need radius
authentication for site-to site vpn.

But what I see, I can only set authentication for whole crypto map:

aaa-server radius-server (inside) host 192.168.0.5 ***** timeout 5
crypto map mymap client authentication radius-server

How can I distinguish between site-to-site vpn and vpn clients (dynmap)
at this level ? is it possible ?

"
....
crypto map mymap 100 ipsec-isakmp
crypto map mymap 100 match address 500
crypto map mymap 100 set peer xxx.xxx.xxx.xxx
crypto map mymap 100 set transform-set strong
crypto map mymap 500 set security-association lifetime seconds 3600
....
crypto map mymap 900 set security-association lifetime seconds 3600
crypto map mymap 9999 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
....
"

regards

jarek

jarcar napisał(a):

> PIX515 6.3.3
>
> site-to-site VPN and vpn clients for mobile users works fine.
>
>
> Problem :
> I would like use aaa-server (IAS radius). And I would like use it ONLY
> for mobile users (cisco vpn client) - I do not need radius
> authentication for site-to site vpn.
>
> But what I see, I can only set authentication for whole crypto map:
>
> aaa-server radius-server (inside) host 192.168.0.5 ***** timeout 5
> crypto map mymap client authentication radius-server
>
> How can I distinguish between site-to-site vpn and vpn clients (dynmap)
> at this level ? is it possible ?
>

Ok, I've found the solution :
vpngroup group_name authentication-server server_tag


But I have similar question :
Is it possible to set aaa-server authentication only for selected vpn
tunnels;
for example activate it for
crypto map mymap 100
crypto map mymap 300

but not for
crypto map mymap 500

?

regards

jarek

When you set up your isakmp key, use the no xauth key word for example

crypto isakmp key cryptokey1 address 1.2.3.4 no-xauth

"jarcar" <jarcar@gazeta.pl> wrote in message news:cdgqgg$dhu$1@inews.gazeta.pl...
> jarcar napisał(a):
>
> > PIX515 6.3.3
> >
> > site-to-site VPN and vpn clients for mobile users works fine.
> >
> >
> > Problem :
> > I would like use aaa-server (IAS radius). And I would like use it ONLY
> > for mobile users (cisco vpn client) - I do not need radius
> > authentication for site-to site vpn.
> >
> > But what I see, I can only set authentication for whole crypto map:
> >
> > aaa-server radius-server (inside) host 192.168.0.5 ***** timeout 5
> > crypto map mymap client authentication radius-server
> >
> > How can I distinguish between site-to-site vpn and vpn clients (dynmap)
> > at this level ? is it possible ?
> >
>
> Ok, I've found the solution :
> vpngroup group_name authentication-server server_tag
>
>
> But I have similar question :
> Is it possible to set aaa-server authentication only for selected vpn
> tunnels;
> for example activate it for
> crypto map mymap 100
> crypto map mymap 300
>
> but not for
> crypto map mymap 500
>
> ?
>
> regards
>
> jarek
>
>
>
>

Try this...

Add the new authentication group e.g.

aaa-server ias-radius protocol radius
aaa-server ias-radius (inside) host [ip addr] [key] timeout 5

Site-to-Site:
crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address [acl]
crypto map newmap 10 set peer [ip addr]
crypto map newmap 10 set transform-set [name]

VPN-Client:
crypto map newmap 19 ipsec-isakmp dynamic remote-clients
crypto map newmap client configuration address initiate
crypto map newmap client authentication ias-radius
crypto map newmap interface outside

So only vpn-clients are authenticated via IAS-radius.