Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
595
Views
0
Helpful
3
Replies

2 radius servers with CVPN Client

tholmes
Level 1
Level 1

‎04-02-2004 07:22 AM - edited ‎03-10-2019 07:44 AM

Hello I'm trying to get 2 sets of CVPN clients to authenticate with 2 different Radius servers without much success

The line below is mapped to the interface and will always push all users to that radius server, is there anyway round this

crypto map newmap client authentication win2k

I've pasted a cutdown config below, any help appreciated

ip local pool cucvpnpool 192.168.123.10-192.168.123.20

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa-server win2k protocol radius

aaa-server win2k (inside) host 195.118.169.20 authme timeout 10

aaa-server mantonwood protocol radius

aaa-server mantonwood (inside) host 195.118.180.51 authme timeout 10

sysopt connection permit-ipsec

sysopt connection permit-pptp

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map newmap 20 ipsec-isakmp dynamic dynmap

crypto map newmap 30 ipsec-isakmp

crypto map newmap 30 match address alphen

crypto map newmap 30 set peer 193.173.72.2

crypto map newmap 30 set transform-set myset

crypto map newmap client authentication win2k

(This pushes users to win2k Radius server)

crypto map newmap interface outside

isakmp enable outside

isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth no-con

fig-mode

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 3600

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 3600

vpngroup kiveton address-pool cucvpnpool

vpngroup kiveton idle-time 1800

vpngroup kiveton authentication-server win2k (This does nothing!!!)

vpngroup kivetonvpn password ********

vpngroup mantonwood address-pool cucvpnpool

vpngroup mantonwood idle-time 1800

vpngroup mantonwood authentication-server mantonwood ( This does nothing!!!)

vpngroup mantonwood password ********

vpngroup address-pool idle-time 1800

Labels:
0 Helpful
3 Replies 3

afakhan
Level 4
Level 4

‎04-16-2004 07:40 PM

Hi,

This command "vpngroup mantonwood authentication-server mantonwood " is meant only for IUA (HW vpn clients), not for software VPN clients.

Since we know that XAUTH has a scope within a crypto map (ie one XAUTH server per crypto map), and also that only one crypto map can be applied to one interface at a time, therefore you would need to use 2 crypto maps on 2 different interfaces to have it working with 2 different RADIUS server.

hth,

Afaq

0 Helpful

tholmes
Level 1
Level 1
In response to afakhan

‎04-18-2004 07:52 AM

Afaq,

Many thanks for the useful answer, back to the drawing board

Perhaps one Radius server can authenticate different usrs to differnent domains

Cheers Tony

0 Helpful

rasoftware
Level 1
Level 1
In response to tholmes

‎12-07-2005 02:49 AM

Did you find a solution to using multiple radius servers in different domains working behind the PIX?

I have similar issue with two domains (no trust) and a single PIX. In this case im using PPTP for VPN.

Cisco are currently looking at this for me.

0 Helpful
Customers Also Viewed These Support Documents