(RADIATOR) Cisco VPN3030 to
Hugh Irvine
hugh at open.com.au
Sat Mar 12 00:20:23 CST 2005
Hello Sean -
Your configuration file looks fine, although if you only have a single
AuthBy clause for authentication, you do not need an AuthBy GROUP
around it.
I also tend to find it useful to do accounting to rotating files as
shown below.
And comments should be on separate lines so they are not taken to be
part of a parameter.
BTW - almost any Cisco device can be used to terminate VPN connections,
so even an old router can be used for testing.
hope that helps
regards
Hugh
...
# vpn client authentication requests
# from cf-vpn can come
#either public or private interfaces
<Client IP address here>
Identifier CF-VPN-PUB
Secret xxx
</Client>
# vpn client authentication requests
# from cf-vpn can come
#either public or private interfaces
<Client IP address here>
Identifier CF-VPN-PRI
Secret xxx
</Client>
<Handler Client-Identifier = CF-VPN-PUB>
<AuthBy LSA>
# Active Directory group
Group VPNSW
DomainController xxx
</AuthBy>
AcctLogFileName %L/detail-pub-%Y-%m-%d
AuthLog remoteaccess-authlog
</Handler>
<Handler Client-Identifier = CF-VPN-PRI>
<AuthBy LSA>
# Active Directory group
Group VPNSW
DomainController xxx
</AuthBy>
AcctLogFileName %L/detail-pri-%Y-%m-%d
AuthLog remoteaccess-authlog
</Handler>
...
On 11 Mar 2005, at 18:38, Kliger, Sean C wrote:
> Hello--
>
> We have a Cisco VPN3030 for which I'd like users to authenticate to our
> Radius on Windows server (2003). We've come up with a sample config
> snippet
> (below) and I'm wondering if one of you all would look it over and let
> me
> know if it looks reasonable. Unfortunately, we don't have a test VPN
> box so
> I'll need to do this during a maintenance window and would like to get
> lined
> up so as not to incur multiple outages.
>
> ...
> <Client IP address here>
> Identifier CF-VPN-PUB #vpn client authentication requests
> from cf-vpn can come
> #either public or private interfaces
> Secret xxx
> </Client>
>
> <Client IP address here>
> Identifier CF-VPN-PRI #vpn client authentication requests
> from cf-vpn can come
> #either public or private interfaces
> Secret xxx
> </Client>
>
> <Handler Client-Identifier = CF-VPN-PUB>
>
> <AuthBy GROUP>
>
> <AuthBy LSA>
>
> Group VPNSW # Active Directory group
> DomainController xxx
>
> </AuthBy>
>
> </AuthBy>
>
> AcctLogFileName %L/detail
> AuthLog remoteaccess-authlog
>
> </Handler>
>
> <Handler Client-Identifier = CF-VPN-PRI>
>
> <AuthBy GROUP>
>
> <AuthBy LSA>
>
> Group VPNSW # Active Directory group
> DomainController xxx
>
> </AuthBy>
>
> </AuthBy>
>
> AcctLogFileName %L/detail
> AuthLog remoteaccess-authlog
>
> </Handler>
> ...
>
>
> --Sean
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>
NB: I am travelling this week, so there may be delays in our
correspondence.
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list