Microsoft
Software
Hardware
Network
Question : Problem: Multiple Access VPN with mulitple Radius Servers
Hi
I am trying to set-up multiple access VPNs on a PIX 515E and authenticate them against different domains (active directory) via radius servers with-in each respective domain, so far with some success but not yet fully implemented correctly.
What I have achieved is the 3 seperate VPN accounts that connect correctly to the PIX, assign the correct IP ranges per VPN account and correct ACLs, but I can not get the accounts to authenticate with the other radius servers in the other domains.
I have found next to nothing on how to set this up. Is it possible to achieve? With or without a VPN concentrator.
Hope someone has some ideas? Thanks in advanced.
Config cleaned a little :)
1st VPN Account
crypto ipsec transform-set remote_usr-set esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set remote_usr-set
crypto map cryptomap1 10 ipsec-isakmp dynamic dynmap
crypto map cryptomap1 client authentication vpnAuth
crypto map cryptomap1 interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
ip local pool vpn-usr1_pool 192.168.69.*-192.168.69.*
vpngroup vpn-usr1 address-pool vpn-usr1_pool
vpngroup vpn-usr1 dns-server 172.17.*.12
vpngroup vpn-usr1 wins-server 172.17.*.14
vpngroup vpn-usr1 default-domain *********.net
vpngroup vpn-usr1 idle-time 1800
vpngroup vpn-usr1 password ********
aaa-server vpnAuth protocol radius
aaa-server vpnAuth max-failed-attempts 3
aaa-server vpnAuth deadtime 10
aaa-server vpnAuth (inside) host 172.17.*.13 ************ timeout 10
crypto ipsec transform-set remote_usr-set esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set remote_usr-set
crypto map cryptomap1 10 ipsec-isakmp dynamic dynmap
crypto map cryptomap1 interface outside
2nd VPN Account
crypto map cryptomap1 20 ipsec-isakmp dynamic dynmaplat
crypto map cryptomap1 client authentication vpnAuthLat
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
ip local pool vpn-lat_pool 192.168.72.*-192.168.72.*
aaa-server vpnAuthLat protocol radius
aaa-server vpnAuthLat max-failed-attempts 3
aaa-server vpnAuthLat deadtime 10
aaa-server vpnAuthLat (inside) host 192.168.50.4 ********* timeout 10
vpngroup vpn-usrlat address-pool vpn-lat_pool
vpngroup vpn-usrlat dns-server 192.168.*.4
vpngroup vpn-usrlat wins-server 192.168.*.4
vpngroup vpn-usrlat default-domain **********.au
vpngroup vpn-usrlat idle-time 1800
vpngroup vpn-usrlat password *************
3rd VPN Account
crypto dynamic-map dynmap 30 set transform-set remote_usr-set
crypto map cryptomap1 30 ipsec-isakmp dynamic dynmapWyn
crypto map cryptomap1 client authentication vpnAuthWyn
isakmp enable outside
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
ip local pool vpn-wyn_pool 192.168.71.*-192.168.71.*
vpngroup vpn-usrwyn address-pool vpn-wyn_pool
vpngroup vpn-usrwyn dns-server 192.168.*.12
vpngroup vpn-usrwyn wins-server 192.168.*.12
vpngroup vpn-usrwyn default-domain ***********.au
vpngroup vpn-usrwyn idle-time 1800
vpngroup vpn-usrwyn password *************
aaa-server vpnAuthWyn (inside) host 192.168.*.12 *********** timeout 10
access-list nonat permit ip 192.168.72.0 255.255.255.0 object-group network_dmz
access-list nonat permit ip 192.168.71.0 255.255.255.0 object-group network_dmz
access-list nonat permit ip 192.168.72.0 255.255.255.0 object-group network_inside
access-list nonat permit ip 192.168.71.0 255.255.255.0 object-group network_inside
access-list nonat permit ip 192.168.69.0 255.255.255.0 object-group network_inside
access-list nonat permit ip 192.168.69.0 255.255.255.0 object-group network_dmz
Answer : Problem: Multiple Access VPN with mulitple Radius Servers
Basically you can only authenticate against a single RADIUS server.
Each cryptomap can only be configured to authenticate against a single RADIUS server the only possible way of doing it would be to have multiple crypto maps. However due to the way they work I suspect that the first matching one will be used and if authentication fails furthur ones will not be tried.
The way it should be done is just to have a single Radius server. When the user gets the xauth popup window asking for their individual username/password they sould enter the username in the domian\username format and the RADIUS server should authenticate them on the domain specified.
You would only need a single vpngroup.
Random Solutions
Problem: how to connect directly router to router via Serials
Problem: Getting Started with Win CE 4.2
Problem: Power Supply Adapter Ratings and Country-Specific Voltages
Problem: Laptop, XP, only boots to DOS and will not read CD, bad FAT, which program from Crazy One's list to save?
Problem: Can I buy another wireless keyboard 'adaptor'
Problem: Brand new HP D320s server not recognising both SATA Raid and SCSI cards
Problem: RJ45 Connectors
Problem: Server will not boot after adding /PAE to boot.ini in order to use 16gb ram
Problem: Driver for USB (1.0) for 3.5 External Hard Disk
Problem: Why does Notorn Ghost mess up my OS image?
