PIX 6.3.3
ACS 3.2
PIX VPN users (Internet users, not LAN-to-LAN- users)are, until now, authenticated only via the VPNGROUP and associated preshared password;
Now, we want to authenticate these VPN users thru AAA and the ACS 3.2;
To do so, we coded the usual AAA commands and the following xauth isakmp command :
crypto map mymap client authentication radius
This works OK during test and the tested user is authenticated via the ACS server
Question is :
is there a way to migrate our numerous users, let's say, group by group, towards this new AAA method ?
if we code the above crypto map command in our PIX, all our existing users will be forced to enter a userid/password (after the basic vpngroup/preshared password IKE phase), and, so, we will not be able to migrate group by group ?
Can the vpngroup groupname user-authentication command help to do so or is it reserved for LAN-to-LAN config ? (I don't see the exact purpose of this command)
thanks in advance