Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

Cisco PIX, Radius and Multiple Groups

Options
  • 26-10-2006 11:28pm
    #1
    _CreeD_
    Registered Users Posts: 4,150 ✭✭✭


    Evenin'

    I had a quick question ragarding using Radius authentication for both administrative and VPN access on a PIX 515. The Radius server is IAS on Windows 2003, with an access policy permitting users who are members of the Cisco Admin (AD) group with a NAS IP of the PIX inside interface. It's working fine for administrative and VPN access but what I would like to do is expand it's use to allow non-admin user remote VPN access without allowing administrative access. From what I can see this cannot be done with just the one IAS server. If I understand it correctly the PIX will just wait for a yes or no from Radius, which in turn is just getting a yes/no from the remote access policies, so if Policy1 is my admin one but Policy2 is to allow all dial-in approved users then any user failing policy1 but matching policy2 could authenticate to the PIX admin functions since Radius will get a remote-access green light from the final matching policy?

    I'd be happy to hear this is wrong as I don't want to have to run 2 different Radius servers if I can help it.

    Thanks.


Comments

  • Options
    #2
    Sponge Bob
    Banned (with Prison Access) Posts: 25,234 ✭✭✭✭Sponge Bob


    you can set sometimes set the vpn client to come up before log onto windows is complete on a XP Pro machine thereby skipping _certain_ problems like these , options menu, window logon properties in vpn client. Sometimes vice versa does the same.

    you may also use the web admin (be it the PDM or ASDM (sys 6 or sys 7) ) to create multiple parallel VPN groups so the admins log into one and the users log into another but they use the one radius server. You are not restricted to one remote vpn group only .

    Finally you can set the admins vpn to auth on the pix itself , bypassing or ignoring radius , as far as I remember . eg their vpn username and password are on the pix and not radius checked . therefore

    a) if an admin leaves you change this password only
    b) only domain users come in on radius auth

    These are just suggestions mind . If you break anything you are on your own :p


  • Options
    #3
    _CreeD_
    Registered Users Posts: 4,150 ✭✭✭_CreeD_


    Thanks Bob, we had been using local authentication before I was just trying to unify our credentials so we'd only have one set to maintain. I will be creating multiple groups but they only define the IPSEC details and initial IKE shared key (VPN groups are not user-groups as such). I think I may have to leave it at local authentication, the other IT folks can live with it I think, pain in the ass though (the price of being cheap and relying on Radius+IAS I guess, I'm pretty sure the Cisco Access Server software can differentiate groups, getting my boss to pay for it simply for convenience though....nah.....;) ).

    Thanks again.


Advertisement