Hi.. Sorry me again, I just realise that W2K can act as a RADIUS server, is it true?? I tried to installed cisco CSACS software on my W2K server, it prompt me that another program is using RADIUS port, pls disable it, it means my W2K server come with RADIUS? Where to configure it?
the aaa.bbb.ccc.10 (shown below) is the IP of my W2K server? I should configure my W2k Radius server to have the same key "PASSWORD HERE" as the PIX515 right? Where can I enter this value in my W2k server? >aaa-server AuthInbound (inside) host aaa.bbb.ccc.10 PASSWORD HERE timeout >10 >From: Daniel Cotts >To: "'Richard Campbell'" , [EMAIL PROTECTED] >Subject: RE: multiple isakmp policies question-No authentication [7:69996] >Date: Mon, 2 Jun 2003 18:25:38 -0500 > >In the following config RADIUS is used to authenticate the Clients. IIRC >The >group password is sufficient to allow a client to connect - although not >too >secure as all clients would have one password. >crypto map FF_fw_int0 client authentication AuthInbound >aaa-server RADIUS protocol radius >aaa-server AuthInbound protocol radius >aaa-server AuthInbound (inside) host aaa.bbb.ccc.10 PASSWORD HERE timeout >10 > > > -----Original Message----- > > From: Richard Campbell [mailto:[EMAIL PROTECTED] > > Sent: Monday, June 02, 2003 8:07 AM > > To: [EMAIL PROTECTED] > > Subject: RE: multiple isakmp policies question-No authentication > > [7:69996] > > > > > > Hey... thanks.. finally I got response from my PIX515, but > > it just hang at > > securing communication channel stage (see below) and it > > doesn't authenticate > > the users. What config should I add to point it to my > > authentication server > > 192.168.1.201? For your info, my VPN client is installed at > > Win95 and my > > authentication server is a W2K server. > > > > Initializing the connection... > > Contacting the gateway at 100.100.100.101... > > Negotiating security policies... > > Securing communication channel... > > > > I remember in VPN3000 server, I need to specify the > > authentication server > > for VPN group, but why in PIX515 sample on the net, why it > > doesn't have this > > entry > > > > >From: Andrew Larkins > > > > > >from what I remember about this, they will try each policy > > until a match is > > >amde, otherwise the connection terminates > > > > > >-----Original Message----- > > >From: Richard Campbell [mailto:[EMAIL PROTECTED] > > > > > >hey.. I have a PIX 515 and have a PIX to PIX connection to > > London and NY > > >using pre-shared key des, hash sha and dh group 1 and I am > > going to let > > >VPN3000 client 3.X connect to here as here and I created > > another isakmp > > >policy 20, with hash md5, dh group 2 as shown below. Can u > > take a look > > >whether the config is correct? > > > > > >And my question is I have 2 isakmp policies here, how does > > the PIX-PIX and > > >VPN 3000 3.X client know which isakmp policy to take? > > > > > >crypto ipsec transform-set newset esp-des > > >crypto dynamic-map dynmap 30 set transform-set newset > > >crypto map newmap 10 ipsec-isakmp > > >crypto map newmap 10 match address 101 > > >crypto map newmap 10 set peer nyapix > > >crypto map newmap 10 set transform-set newset > > >crypto map newmap 20 ipsec-isakmp > > >crypto map newmap 20 match address 102 > > >crypto map newmap 20 set peer ldnpix > > >crypto map newmap 20 set transform-set newset > > >crypto map newmap 30 ipsec-isakmp dynamic dynmap > > >crypto map newmap interface outside > > >isakmp enable outside > > >isakmp key ******** address ldnpix netmask 255.255.255.255 > > >isakmp key ******** address nyapix netmask 255.255.255.255 > > >isakmp identity address > > >isakmp policy 10 authentication pre-share > > >isakmp policy 10 encryption des > > >isakmp policy 10 hash sha > > >isakmp policy 10 group 1 > > >isakmp policy 10 lifetime 86400 > > > > > >isakmp policy 20 authentication pre-share > > >isakmp policy 20 encryption des > > >isakmp policy 20 hash md5 > > >isakmp policy 20 group 2 > > >isakmp policy 20 lifetime 86400 > > > > > >vpngroup CLIENTS address-pool REMOTEIPPOOLS > > >vpngroup CLIENTS dns-server 192.168.1.201 > > >vpngroup CLIENTS wins-server 192.168.1.201 > > >vpngroup CLIENTS default-domain xyz.com > > >vpngroup CLIENTS idle-time 1800 > > >vpngroup CLIENTS password ******** > > > > > >_________________________________________________________________ > > >Protect your PC - get McAfee.com VirusScan Online > > >http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 > > _________________________________________________________________ > > Add photos to your messages with MSN 8. Get 2 months FREE*. > > http://join.msn.com/?page=features/featuredemail _________________________________________________________________ The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=70043&t=70043 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
