Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
820
Views
0
Helpful
2
Replies

VPNGroup and MS ISA?

Go to solution
brian-henry
Level 4
Level 4

‎12-05-2004 02:05 PM - edited ‎03-10-2019 01:54 PM

Hello,

I have a PIX 501 running V6.3 and have already VPN users terminating on the outside interface of the pix by using the VPNGroup but I wanted to see if this is possible.

1. I want ti be able to not just have the name and password for the vpngroup to allow them access I want to add the prompt for User ID and Password so that they have to provide a valid AD ID and Password before they can finish the vpn conection. I want to use MS ISA to be able to do this. I found the doc were it shows how to authenticate with a local user but not tie it into the AD strucuture.

2. I also would like to allow remote ssh administrator rights to the pix from anywhere, is this possible without having an exact IP Address? I know from a security prospective that this type of access is not best practice, so if anyone has any suggestions I would greatly appreciate it.

thanks!

Brian

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎12-05-2004 03:22 PM

1. Sure, this is what you're after (http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml).

Just add the commands:

aaa-server vpnaccess protocol radius

aaa-server vpnaccess (inside) host x.x.x.x blahblah

crypto map client authentication vpnaccess

This will make all users authenticate via the Radius server at x.x.x.x, which you will have to configure to work in with your AD domain.

2. SSH access has to be opened up per IP address, but if you don't know the IP address the user is going to be coming from, just enter the following to open up access to all IP addresses:

ssh 0 0 outside

Obviously this has security implications as you've mentioned.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎12-05-2004 03:22 PM

1. Sure, this is what you're after (http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml).

Just add the commands:

aaa-server vpnaccess protocol radius

aaa-server vpnaccess (inside) host x.x.x.x blahblah

crypto map client authentication vpnaccess

This will make all users authenticate via the Radius server at x.x.x.x, which you will have to configure to work in with your AD domain.

2. SSH access has to be opened up per IP address, but if you don't know the IP address the user is going to be coming from, just enter the following to open up access to all IP addresses:

ssh 0 0 outside

Obviously this has security implications as you've mentioned.

0 Helpful

Go to solution
brian-henry
Level 4
Level 4
In response to gfullage

‎12-06-2004 10:33 AM

Thank you for your reply, I just wanted to make sure that what was stated in the doc for the ISA and WIN03 was all that I had to do.

I know I will have to also genertate a key with the SSH and save it.

Thanks again.

0 Helpful
Customers Also Viewed These Support Documents