Re: VPN Authentication

francois.beaunoyer · ‎04-15-2005

Hi,

I'm using 2 pix’s (515 (6.3) and 506 (6.3)) to create a LAN to LAN connection with the VPN easy server and client tool. My pix 515 act as the server and the pix 506 is the client. The pix 515 also get connection from software client. Right now, everything’s works fine.

The reason why I’m posting here, it’s because we are looking for another way to authenticate the client behind my hardware client. Right now we have to authenticate each computer one by one. To authenticate, I browse to any WEB page behind the easy vpn server inside interface and there I get a popup window. After that we enter a username password matching in our radius server and we have full access to the network.

We are looking for a way to works where we don’t have to authenticate the computer. I want to have the entire authentication done by the easy VPN client (pix 506).

I attach the vpn part of both config. I will really appreciate if someone can help me.

gfullage · ‎04-18-2005

This is called Individual User Authentication (IUA), and is configured on the VPN server but the policy is then pushed down to the VPN client device. See here for details:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/basclnt.htm#wp1053271

Basically you would just configure the following on the 515:

vpngroup testvpn user-authentication

vpngroup testvpn user-idle-timeout

vpngroup testvpn authentication-server auth_vpn

This policy is pushed down to the client after successful authentication the next time, and from then on any attempts to bring up a tunnel will start the user authentication process behind the 506. In this scenario the authentication request comes directly from the 506, not from the 515, so make sure you add it onto your Radius server.