03-28-2003 08:14 PM - edited 02-21-2020 10:06 AM
Hello,
I have a site-to-site VPN setup between two offices on PIX 515Es (v.6.2 software), and recently added a vpngroup/shared-secret based remote-access VPN for one of the offices. Since that just required me to append a different policy number to my existing crypto map, it was a straight-forward setup, and easily implemented. For additional security, I want to use a RADIUS server to give each remote user their own logins and profiles rather than a group password everyone is configured on. To do this though, it seems I have to append the following additional commands to my existing crypto map:
crypto map mymap client configuration address initiate
crypto map mymap client authentication RADIUS
These don't correspond to a policy number (my site-to-site is policy 10, and remote access is policy 20), so I'm not sure what the effect would be if I added them. Would it cause my site-to-site connection to request RADIUS authentication (a very bad thing)? If so, do I need another interface to bind a new crypto map to? Any answers to this would be greatly appreciated!
Also, if anyone knows of a sample configuration for a similar setup I can look at, please let me know! Thanks.
--A.Hsu
Solved! Go to Solution.
03-30-2003 05:38 PM
For the site-to-site connection, change you isakmp key line and add the "no-xauth no-config-mode" parameters to the end of it, that'll tell the PIX not to do Radius auth or assign an IP address, etc for the specific site-to-site tunnel.
Config example is here:
http://www.cisco.com/warp/public/110/37.html
Note that this doesn't have the command options I just specified, I just sent an email to the web guys to fix that. Basically your config will look the same with the "no-xauth no-config-mode" options on the "isakmp key x.x.x.x ...." line for the LAN-to-LAN tunnel.
03-30-2003 05:38 PM
For the site-to-site connection, change you isakmp key line and add the "no-xauth no-config-mode" parameters to the end of it, that'll tell the PIX not to do Radius auth or assign an IP address, etc for the specific site-to-site tunnel.
Config example is here:
http://www.cisco.com/warp/public/110/37.html
Note that this doesn't have the command options I just specified, I just sent an email to the web guys to fix that. Basically your config will look the same with the "no-xauth no-config-mode" options on the "isakmp key x.x.x.x ...." line for the LAN-to-LAN tunnel.
04-01-2003 04:04 PM
Thanks for the help, RADIUS and my point-to-point are both up and running now.
--A.Hsu
04-08-2003 01:56 AM
I just did the same thing last week.
Try adding "no-xauth" to the end of your "crypto isakmp key" command.
For example "crypto isakmp key ciscokey address 1.1.1.1 no-xauth"
This will tell the site-to-site not to use Radius.
04-08-2003 02:02 AM
Sorry. That last post was for a router-to-rouer VPN.
It's similar for the Pix.
Use the command "isakmp key ciscokey address 1.1.1.1 netmask 255.255.255.255 no-xauth no-config-mode
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide