Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1973
Views
0
Helpful
4
Replies

Can Shared-Secret Site-to-Site VPN Coexist with RADIUS Authenticated VPN?

Go to solution
andyhsu
Level 1
Level 1

‎03-28-2003 08:14 PM - edited ‎02-21-2020 10:06 AM

Hello,

I have a site-to-site VPN setup between two offices on PIX 515Es (v.6.2 software), and recently added a vpngroup/shared-secret based remote-access VPN for one of the offices. Since that just required me to append a different policy number to my existing crypto map, it was a straight-forward setup, and easily implemented. For additional security, I want to use a RADIUS server to give each remote user their own logins and profiles rather than a group password everyone is configured on. To do this though, it seems I have to append the following additional commands to my existing crypto map:

crypto map mymap client configuration address initiate

crypto map mymap client authentication RADIUS

These don't correspond to a policy number (my site-to-site is policy 10, and remote access is policy 20), so I'm not sure what the effect would be if I added them. Would it cause my site-to-site connection to request RADIUS authentication (a very bad thing)? If so, do I need another interface to bind a new crypto map to? Any answers to this would be greatly appreciated!

Also, if anyone knows of a sample configuration for a similar setup I can look at, please let me know! Thanks.

--A.Hsu

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎03-30-2003 05:38 PM

For the site-to-site connection, change you isakmp key line and add the "no-xauth no-config-mode" parameters to the end of it, that'll tell the PIX not to do Radius auth or assign an IP address, etc for the specific site-to-site tunnel.

Config example is here:

http://www.cisco.com/warp/public/110/37.html

Note that this doesn't have the command options I just specified, I just sent an email to the web guys to fix that. Basically your config will look the same with the "no-xauth no-config-mode" options on the "isakmp key x.x.x.x ...." line for the LAN-to-LAN tunnel.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎03-30-2003 05:38 PM

For the site-to-site connection, change you isakmp key line and add the "no-xauth no-config-mode" parameters to the end of it, that'll tell the PIX not to do Radius auth or assign an IP address, etc for the specific site-to-site tunnel.

Config example is here:

http://www.cisco.com/warp/public/110/37.html

Note that this doesn't have the command options I just specified, I just sent an email to the web guys to fix that. Basically your config will look the same with the "no-xauth no-config-mode" options on the "isakmp key x.x.x.x ...." line for the LAN-to-LAN tunnel.

0 Helpful

Go to solution
andyhsu
Level 1
Level 1
In response to gfullage

‎04-01-2003 04:04 PM

Thanks for the help, RADIUS and my point-to-point are both up and running now.

--A.Hsu

0 Helpful

Go to solution
Bill
Level 1
Level 1

‎04-08-2003 01:56 AM

I just did the same thing last week.

Try adding "no-xauth" to the end of your "crypto isakmp key" command.

For example "crypto isakmp key ciscokey address 1.1.1.1 no-xauth"

This will tell the site-to-site not to use Radius.

0 Helpful

Go to solution
Bill
Level 1
Level 1
In response to Bill

‎04-08-2003 02:02 AM

Sorry. That last post was for a router-to-rouer VPN.

It's similar for the Pix.

Use the command "isakmp key ciscokey address 1.1.1.1 netmask 255.255.255.255 no-xauth no-config-mode

0 Helpful
Customers Also Viewed These Support Documents