Cisco PIX Radius and multiple groups

AhriakinAhriakin SupremeNetworkOverlordMember Posts: 1,799 ■■■■■■■■□□
Evenin'

I had a quick question ragarding using Radius authentication for both administrative and VPN access on a PIX 515. The Radius server is IAS on Windows 2003, with an access policy permitting users who are members of the Cisco Admin (AD) group with a NAS IP of the PIX inside interface. It's working fine for administrative and VPN access but what I would like to do is expand it's use to allow non-admin user remote VPN access without allowing administrative access. From what I can see this cannot be done with just the one IAS server. If I understand it correctly the PIX will just wait for a yes or no from Radius, which in turn is just getting a yes/no from the remote access policies, so if Policy1 is my admin one but Policy2 is to allow all dial-in approved users then any user failing policy1 but matching policy2 could authenticate to the PIX admin functions since Radius will get a remote-access green light from the final matching policy?

I'd be happy to hear this is wrong as I don't want to have to run 2 different Radius servers if I can help it.

Thanks.
We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?

Comments

  • garv221garv221 Member Posts: 1,914
    I have a 525, 515, 506 and 501 all with vpn connections, I use Cisco software to manage the vpn groups. All the security is handled by my active directories, using the Cisco software give me alot more security options than just using radius from a windows server. Check it out on their site. I believe this would solve your problem as you can create seperate groups which authenicate through the PIX and still pick up seperate security settings from AD.
  • AhriakinAhriakin SupremeNetworkOverlord Member Posts: 1,799 ■■■■■■■■□□
    Thanks Gary, yup I figured we may have to get a better software package to do this....so much for being cheap ;).

    Cheers.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
Sign In or Register to comment.