Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
757
Views
0
Helpful
1
Replies

how to migrate from non AAA VPN to AAA VPN with PIX & ACS ?

guillerm
Level 1
Level 1

‎08-24-2004 01:42 PM - edited ‎03-10-2019 01:46 PM

PIX 6.3.3

ACS 3.2

PIX VPN users (Internet users, not LAN-to-LAN- users)are, until now, authenticated only via the VPNGROUP and associated preshared password;

Now, we want to authenticate these VPN users thru AAA and the ACS 3.2;

To do so, we coded the usual AAA commands and the following xauth isakmp command :

crypto map mymap client authentication radius

This works OK during test and the tested user is authenticated via the ACS server

Question is :

is there a way to migrate our numerous users, let's say, group by group, towards this new AAA method ?

if we code the above crypto map command in our PIX, all our existing users will be forced to enter a userid/password (after the basic vpngroup/preshared password IKE phase), and, so, we will not be able to migrate group by group ?

Can the vpngroup groupname user-authentication command help to do so or is it reserved for LAN-to-LAN config ? (I don't see the exact purpose of this command)

thanks in advance

Labels:
0 Helpful
1 Reply 1

jsivulka
Level 5
Level 5

‎08-30-2004 11:22 AM

I think user authentication cannot be configured on a per vpn group basis. I guess, the rollover has to be in one go.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents