We have a PIX 515 connecting to a Win2000 server for a site to site VPN connection.

The VPN user is accessing a development network on a secondary interface (not inside interface) of the PIX.

We already have access-lists on the PIX to limit where the VPN user can go and what he can do.

We have a need now to implement User Authentication as more users are now requiring the same access as the VPN user (on same VPN tunnel).

We have ACS v3.0 already in our enviroment (on the inside interface of the PIX) and want to setup user authentication using TACACS+.

The VPN users need FTP, HTTP, Telnet, XWindows and Windows Terminal Server Client access.

What is the best way to set this up?

Would this below config work?

aaa-server TACACS protocol tacacs+

aaa-server TACACS (inside) host 192.168.0.1 ciscosecret

aaa authentication include any inbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 TACACS

aaa authorization include any inbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 TACACS

aaa accounting include any inbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 TACACS

auth-prompt prompt Please Authenticate to the Firewall

auth-prompt reject Authentication Failed, Please Try Again

auth-prompt accept You've been Authenticated!

I know the PIX can authenticate for HTTP, FTP & Telnet, but what if the VPN user tries to establish a Terminal Server client connection? how is the user prompted for authentication?

I also have a question about TImeouts. If setting an absolute or inactivity timeout using the "timeout uauth" commands, how does this impact your settings already setup for the VPN Tunnel?

Your help is appreciated

Thanks

Peter Cumming

Atlantic Lottery Corp.