Re: AAA authentication to remote Radius over L2L tunnel

eskil.notesjo · ‎03-30-2005

I have two sites, each with a Pix501 running Pix 6.3.

The two sites have a lan2lan tunnel with pre-shared key between them.

Cisco vpn clients should be able to connect to either of the two sites - choice of site is depending on which site they need access to. This is because of limited bandwidth on one of the sites and also because of the fact that traffic on the Pix can not enter and leave on the same interface.

We are using one radius server on site1, and the client vpn is working very nice when connecting to site1.

However, the Pix on site2 is configured to talk to the radius server on site1 over the existing L2L tunnel, and this does not work.

I reasoned that since it is the Pix on site2 that is initiating the radius request, the radius traffic should be able to enter the tunnel. I have tried to use the "management-access inside" command, but it did not help.

"Debug aaa authorization" and "debug aaa internal" indicates that pix2 is trying to connect to the radius, but "debug packet outside" show that the radius request is not encrypted.

fedrodri · ‎03-30-2005

Hi,

Since PIX2 is the one initiating the Authentication request against the RADIUS server over the L2L VPN tunnel, and there is no way to tell the PIX to initiate that request from the inside interface, you would need to add the outside interface of PIX2 as part of the interesting traffic (crypto map match address) and the NAT excemption (NAT 0 ACL, meaning it should be part of the ACL for no-nat). Once you add PIX2 outside interface to that, RADIUS requests should go encrypted.

Hope that it helps!

Federico Rodriguez

eskil.notesjo · ‎04-07-2005

It worked when I included the outside interface in the crypto map!

Thank you for valuable input.