Question : Problem: Multiple Access VPN with mulitple Radius Servers

Hi

I am trying to set-up multiple access VPNs on a PIX 515E and authenticate them against different domains (active directory) via radius servers with-in each respective domain, so far with some success but not yet fully implemented correctly.

What I have achieved is the 3 seperate VPN accounts that connect correctly to the PIX, assign the correct IP ranges per VPN account and correct ACLs, but I can not get the accounts to authenticate with the other radius servers in the other domains.

I have found next to nothing on how to set this up. Is it possible to achieve? With or without a VPN concentrator.

Hope someone has some ideas? Thanks in advanced.

Config cleaned a little :)

1st VPN Account
crypto ipsec transform-set remote_usr-set esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set remote_usr-set
crypto map cryptomap1 10 ipsec-isakmp dynamic dynmap
crypto map cryptomap1 client authentication vpnAuth
crypto map cryptomap1 interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
ip local pool vpn-usr1_pool 192.168.69.-192.168.69.
vpngroup vpn-usr1 address-pool vpn-usr1_pool
vpngroup vpn-usr1 dns-server 172.17..12
vpngroup vpn-usr1 wins-server 172.17..14
vpngroup vpn-usr1 default-domain .net
vpngroup vpn-usr1 idle-time 1800
vpngroup vpn-usr1 password
aaa-server vpnAuth protocol radius
aaa-server vpnAuth max-failed-attempts 3
aaa-server vpnAuth deadtime 10
aaa-server vpnAuth (inside) host 172.17..13 ************ timeout 10
crypto ipsec transform-set remote_usr-set esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set remote_usr-set
crypto map cryptomap1 10 ipsec-isakmp dynamic dynmap
crypto map cryptomap1 interface outside

2nd VPN Account
crypto map cryptomap1 20 ipsec-isakmp dynamic dynmaplat
crypto map cryptomap1 client authentication vpnAuthLat
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
ip local pool vpn-lat_pool 192.168.72.-192.168.72.
aaa-server vpnAuthLat protocol radius
aaa-server vpnAuthLat max-failed-attempts 3
aaa-server vpnAuthLat deadtime 10
aaa-server vpnAuthLat (inside) host 192.168.50.4 ********* timeout 10
vpngroup vpn-usrlat address-pool vpn-lat_pool
vpngroup vpn-usrlat dns-server 192.168..4
vpngroup vpn-usrlat wins-server 192.168..4
vpngroup vpn-usrlat default-domain .au
vpngroup vpn-usrlat idle-time 1800
vpngroup vpn-usrlat password ***

3rd VPN Account
crypto dynamic-map dynmap 30 set transform-set remote_usr-set
crypto map cryptomap1 30 ipsec-isakmp dynamic dynmapWyn
crypto map cryptomap1 client authentication vpnAuthWyn
isakmp enable outside
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
ip local pool vpn-wyn_pool 192.168.71.-192.168.71.
vpngroup vpn-usrwyn address-pool vpn-wyn_pool
vpngroup vpn-usrwyn dns-server 192.168..12
vpngroup vpn-usrwyn wins-server 192.168..12
vpngroup vpn-usrwyn default-domain *.au
vpngroup vpn-usrwyn idle-time 1800
vpngroup vpn-usrwyn password ***
aaa-server vpnAuthWyn (inside) host 192.168.*.12 *********** timeout 10

access-list nonat permit ip 192.168.72.0 255.255.255.0 object-group network_dmz
access-list nonat permit ip 192.168.71.0 255.255.255.0 object-group network_dmz
access-list nonat permit ip 192.168.72.0 255.255.255.0 object-group network_inside
access-list nonat permit ip 192.168.71.0 255.255.255.0 object-group network_inside
access-list nonat permit ip 192.168.69.0 255.255.255.0 object-group network_inside
access-list nonat permit ip 192.168.69.0 255.255.255.0 object-group network_dmz

Answer : Problem: Multiple Access VPN with mulitple Radius Servers

Basically you can only authenticate against a single RADIUS server.
Each cryptomap can only be configured to authenticate against a single RADIUS server the only possible way of doing it would be to have multiple crypto maps. However due to the way they work I suspect that the first matching one will be used and if authentication fails furthur ones will not be tried.

The way it should be done is just to have a single Radius server. When the user gets the xauth popup window asking for their individual username/password they sould enter the username in the domian\username format and the RADIUS server should authenticate them on the domain specified.
You would only need a single vpngroup.

Random Solutions

Problem: DVD Burner will not Burn To 8x Discs

Problem: I am trying to install W2K3E on an IDE drive but the BIOS only reads and only allows access to the three SCSI drives.

Problem: Project Windows Mobile display onto a workstation.

Problem: iMac Won't Boot

Problem: Deploy Software to AD Security groups in SMS ??

Problem: Can I use a new 200GB EIDE internal hard drive on an old (3+ years) IDE PC?

Problem: Connect BES to two Exchange Servers?

Problem: catalyst 5505 VMPS

Problem: Next Level in backing up

Problem: Watchguard firebox x750e core Port forwarding problem for incoming video phone