Configuring Radius Authentication for VPN on Cisco Pix

Cisco Secure PIX Firewall 6.x and Cisco VPN Client 3.5 for Windows with Microsoft Windows 2000 and 2003 IAS RADIUS Authentication

Configuring the PIX Firewall

PIX Firewall
pixfirewall(config)# write terminalBuilding configuration...: Saved:PIX Version 6.1(1)nameif ethernet0 outside security0nameif ethernet1 inside security100enable password 8Ry2YjIyt7RRXU24 encryptedpasswd 2KFQnbNIdI.2KYOU encryptedhostname pixfirewallfixup protocol ftp 21fixup protocol http 80fixup protocol h323 1720fixup protocol rsh 514fixup protocol rtsp 554fixup protocol smtp 25fixup protocol sqlnet 1521fixup protocol sip 5060fixup protocol skinny 2000names!--- Issue the access-list command to avoid !--- Network Address Translation (NAT) on the IPSec packets.access-list 101 permit ip pager lines 24interface ethernet0 autointerface ethernet1 automtu outside 1500mtu inside 1500ip address outside address inside audit info action alarmip audit attack action alarmip local pool ippool history enablearp timeout 14400global (outside) 1!--- Binding access list 101 to the NAT statement to avoid !--- NAT on the IPSec packets.nat (inside) 0 access-list 101Nat (inside) 1 0 0route outside 1route inside xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00timeout uauth 0:05:00 absolute!--- Enable access to the TACACS+ and RADIUS TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius !--- Associate the partnerauth protocol to partnerauth protocol radius aaa-server partnerauth (inside) host cisco123timeout 5no snmp-server locationno snmp-server contactsnmp-server community publicno snmp-server enable trapsfloodguard enable!--- Tell PIX to implicitly permit IPSec traffic.sysopt connection permit-ipsecno sysopt route dnat!--- Configure a transform set that defines how the traffic will be protected.crypto ipsec transform-set myset esp-des esp-md5-hmac!--- Create a dynamic crypto map and specify which !--- transform sets are allowed for this dynamic crypto map entry.crypto dynamic-map dynmap 10 set transform-set myset!--- Add the dynamic crypto map set into a static crypto map set.crypto map mymap 10 ipsec-isakmp dynamic dynmap!--- Enable the PIX to launch the Xauth application on the VPN Client.crypto map mymap client authentication partnerauth!--- Apply the crypto map to the outside interface.crypto map mymap interface outside!--- IKE Policy Configuration.isakmp enable outsideisakmp identity addressisakmp policy 10 authentication pre-shareisakmp policy 10 encryption desisakmp policy 10 hash md5isakmp policy 10 group 2isakmp policy 10 lifetime 86400!--- IPSec group configuration for VPN Client.vpngroup vpn3000 address-pool ippoolvpngroup vpn3000 dns-server vpn3000 wins-server vpn3000 default-domain cisco.comvpngroup vpn3000 idle-time 1800vpngroup vpn3000 password ********telnet timeout 5ssh timeout 5terminal width 80Cryptochecksum:3f9e31533911b8a6bb5c0f06900c2dbc: end [OK]pixfirewall(config)#

Configuring the Microsoft Windows 2000 Server with IAS

Follow these steps to configure Microsoft Windows 2000 server with IAS. This is a very basic setup to use a Windows 2000 IAS server for RADIUS authentication of VPN users. If you require a more complex design, please contact Microsoft for assistance.

Note: These steps assume that IAS has already been installed on the local machine. If not, please add this through Control Panel > Add/Remove Programs.

  1. Launch the Microsoft Management Console by going to Start > Run and typing mmc and then clicking OK.
  2. To add the IAS service to this console, go to Console > Add Remove Snap-In….
  3. Click Add. This will launch a new window with all of the available standalone snap-ins. Click Internet Authentication Service (IAS) and click Add.
  4. Make sure Local Computer is selected and click Finish. Then click Close.
  5. Notice that IAS is now added. Click OK to see that it has been added to the Console Root.


  6. Expand the Internet Authentication Service and right-click on Clients. Click New Client and input a name. The choice of name really does not matter; it will be what you see in this view. Make sure to select RADIUS and click Next.
  7. Fill in the Client address with the PIX interface address that the IAS server is connected to. Make sure to select RADIUS Standard and add the shared secret to match the command you entered on the PIX:
    aaa-server partnerauth (inside) host cisco123 timeout 5

    Note: In this example, “cisco123” is the shared secret.


  8. Click Finish to return to the Console Root.
  9. Click Remote Access Policies in the left pane and double-click the policy labeled Allow access if dial-in permission is enabled.
  10. Click Edit Profile and go to the Authentication tab. Under Authentication Methods, make sure only Unencrypted Authentication (PAP, SPAP) is checked.

    Note: The VPN Client can only use this method for authentication.


  11. Click Apply and then OK twice.
  12. To modify the users to allow connection, go to Console > Add/Remove Snap-in. Click Add and then select the Local Users and Groups snap-in. Click Add. Make sure to select Local Computer and click Finish. Click OK.
  13. Expand Local User and Groups and click the Users folder in the left pane. In the right pane, double-click the user you want to allow access.
  14. Click the Dial-in tab and select Allow Access under Remote Access Permission (Dial-in or VPN).


  15. Click Apply and OK to complete the action. You can close the Console Management screen and save the session, if desired.
  16. The users that you modified should now be able to access the PIX with the VPN Client 3.5. Please keep in mind that the IAS server only authenticates the user information. The PIX still does the group authentication.

Configuring the Microsoft Windows 2003 Server with IAS

Follow these steps to configure Microsoft Windows 2003 server with IAS.

Note: These steps assume that IAS has already been installed on the local machine. If not, please add this through Control Panel > Add/Remove Programs.

  1. Go to Administrative Tools > Internet Authentication Service and right-click on RADIUS Client to add a new RADIUS client. When you have typed the client information, click OK.

    The example below shows a client named “Pix” with IP address Client-Vendor is set to RADIUS Standard, and the shared secret is “cisco123.”


  2. Go to Remote Access Policies, right-click on Connections to Other Access Servers, and select Properties.
  3. Ensure that the option for Grant Remote Access Permissions is selected.
  4. Click Edit Profile and check the following settings.
    • On the Authentication tab, check Unencrypted authentication (PAP, SPAP).
    • On the Encryption tab, ensure that the option for No Encryption is selected.

    Click OK when you are finished.


  5. Add a user into the local computer account by going to Administrative Tools > Computer Management > System Tools > Local Users and Groups.. Right-click on Users and select New Users.
  6. Add user with Cisco password “cisco123” and check the following profile information.
    • On the General tab, ensure that the option for Password Never Expired is selected instead of the option for User Must Change Password.
    • On the Dial-in tab, select the option for Allow access (or leave default setting of Control access through Remote Access Policy).

    Click OK when you are finished.



This section provides information you can use to confirm your configuration is working properly.

Certain show commands are supported by the Output Interpreter Tool ( registered customers only) , which allows you to view an analysis of show command output.

  • show crypto isakmp sa – View all current IKE security associations (SAs) at a peer.
  • show crypto ipsec sa – View the settings used by current security associations.


This section provides information you can use to troubleshoot your configuration. For additional information, refer to Troubleshooting the PIX to Pass Data Traffic on an Established IPSec Tunnel.

Troubleshooting Commands

Certain commands are supported by the Output Interpreter Tool ( registered customers only) , which allows you to view an analysis of show command output.

Note: Before issuing debug commands, please see Important Information on Debug Commands and IP Security Troubleshooting – Understanding and Using debug Commands.

  • debug crypto ipsec – View the IPSec negotiations of phase 2.
  • debug crypto isakmp – View the ISAKMP negotiations of phase 1.
  • debug crypto engine – View the traffic that is encrypted.


Variables in Batch Files


Windows NT 4/Windows 2000 Syntax


Note:     The parts of this text that are displayed in magenta are valid for Windows 2000 only


Displays, sets, or removes cmd.exe environment variables.

SET [variable=[string]]

    variable   Specifies the environment-variable name.
string Specifies a series of characters to assign to the variable.

Type SET without parameters to display the current environment variables.

If Command Extensions are enabled SET changes as follows:

SET command invoked with just a variable name, no equal sign or value will display the value of all variables whose prefix matches the name given to the SET command. For example:


would display all variables that begin with the letter ‘P’

SET command will set the ERRORLEVEL to 1 if the variable name is not found in the current environment.

SET command will not allow an equal sign (=) to be part of the name of a variable.
However, SET command will allow an equal sign in the value of an environment variable in any position other than the first character.

One new switch has been added to the SET command in Windows NT 4, and another one in Windows 2000:

 SET /A expression SET /P variable=[promptString]

The /A switch specifies that the string to the right of the equal sign is a numerical expression that is evaluated. The expression evaluator is pretty simple and supports the following operations, in decreasing order of precedence:

       () - grouping
* / % - arithmetic operators
+ - - arithmetic operators
<< >> - logical shift
& - bitwise and
^ - bitwise exclusive or
¦ - bitwise or
= *= /= %= += -=
&= ^= ¦= <<= >>=
- assignment
, - expression separator

If you use any of the logical or modulus operators, you will need to enclose the expression string in quotes. Any non-numeric strings in the expression are treated as environment variable names whose values are converted to numbers before using them. If an environment variable name is specified but is not defined in the current environment, then a value of zero is used. This allows you to do arithmetic with environment variable values without having to type all those % signs to get their values. If SET /A is executed from the command line outside of a command script, then it displays the final value of the expression. The assignment operator requires an environment variable name to the left of the assignment operator. Numeric values are decimal numbers, unless prefixed by 0x for hexidecimal numbers, 0b for binary numbers and 0 for octals numbers. So 0x12 is the same as 0b10010 is the same as 022. Please note that the octal notation can be confusing: 08 and 09 are not valid numbers because 8 and 9 are not valid octal digits.

The /P switch allows you to set the value of a variable to a line of input entered by the user. Displays the specified promptString before reading the line of input. The promptString can be empty.

Environment variable substitution has been enhanced as follows:


would expand the PATH environment variable, substituting each occurrence of "str1" in the expanded result with "str2". "str2" can be the empty string to effectively delete all occurrences of "str1" from the expanded output. "str1" can begin with an asterisk, in which case it will match everything from the begining of the expanded output to the first occurrence of the remaining portion of str1.

May also specify substrings for an expansion.


would expand the PATH environment variable, and then use only the 5 characters that begin at the 11th (offset 10) character of the expanded result.
If the length is not specified, then it defaults to the remainder of the variable value.
If either number (offset or length) is negative, then the number used is the length of the environment variable value added to the offset or length specified.


would extract the last 10 characters of the PATH variable.


would extract all but the last 2 characters of the PATH variable.

Finally, support for delayed environment variable expansion has been added. This support is always disabled by default, but may be enabled/disabled via the /V command line switch to CMD.EXE. See CMD /?

Delayed environment variable expansion is useful for getting around the limitations of the current expansion which happens when a line of text is read, not when it is executed.
The following example demonstrates the problem with immediate variable expansion:

set VAR=beforeif "%VAR%" == "before" (set VAR=after;if "%VAR%" == "after" @echo If you see this, it worked)

would never display the message, since the %VAR% in BOTH IF statements is substituted when the first IF statement is read, since it logically includes the body of the IF, which is a compound statement.
So the IF inside the compound statement is really comparing "before" with "after" which will never be equal.
Similarly, the following example will not work as expected:

set LIST=for %i in (*) do set LIST=%LIST% %iecho %LIST%

in that it will NOT build up a list of files in the current directory, but instead will just set the LIST variable to the last file found.
Again, this is because the %LIST% is expanded just once when the FOR statement is read, and at that time the LIST variable is empty.
So the actual FOR loop we are executing is:

for %i in (*) do set LIST= %i

which just keeps setting LIST to the last file found.

Delayed environment variable expansion allows you to use a different character (the exclamation mark) to expand environment variables at execution time.
If delayed variable expansion is enabled, the above examples could be written as follows to work as intended:

set VAR=beforeif "%VAR%" == "before" (set VAR=afterif "!VAR!" == "after" @echo If you see this, it worked)set LIST=for %i in (*) do set LIST=!LIST! %iecho %LIST%

If Command Extensions are enabled, then there are several dynamic environment variables that can be expanded but which don't show up in the list of variables displayed by SET.
These variable values are computed dynamically each time the value of the variable is expanded.
If the user explicitly defines a variable with
one of these names, then that definition will override the dynamic one described below:

     %CD%   -   expands to the current directory string.
  %DATE%   -   expands to current date using same format as DATE command.
  %TIME%   -   expands to current time using same format as TIME command.
  %RANDOM%   -   expands to a random decimal number between 0 and 32767.
  %ERRORLEVEL%   -   expands to the current ERRORLEVEL value.
  %CMDEXTVERSION%   -   expands to the current Command Processor Extensions version number.
  %CMDCMDLINE%   -   expands to the original command line that invoked the Command Processor.



Warning note:    A note on NT 4's SET /A switch from Walter Zackery in a message on alt.msdos.batch.nt:
  "The SET /A command has a long list of problems. I wouldn't use it for much more than simple arithmetic, although even then it truncates all answers to integers."


On the other hand, limited though it may seem, the SET command's math function can even be used for a complex task like calculating the date of Easter Day for any year.


Creating a Client VPN Policy

!— Access List for NAT-0

access-list NAT-0-INSIDE remark — No address translation for the VPN connections to Local LAN
access-list NAT-0-INSIDE permit ip

!— Access List for VPN Clients to Inside

access-list OUTSIDE-IN permit ip

!— Setting up DHCP Pool for Clients

ip local pool VPNPOOL1

!— No NAT from VPN to Inside

nat (inside) 0 access-list NAT-0-INSIDE

!— Authentication

aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server RADIUS (inside) host [Radius Server] [Radius Session Key] timeout 5
aaa-server LOCAL protocol local

!— Configure a transform set that defines how the traffic will be protected.

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

!— Create a dynamic crypto map and specify which
!— transform sets are allowed for this dynamic crypto map entry.

crypto dynamic-map VPNUSERSZONE 10 set transform-set ESP-3DES-MD5

!— Add the dynamic crypto map set into a static crypto map set.

crypto map VPNZONE 10 ipsec-isakmp dynamic VPNUSERSZONE

!— ???

crypto map VPNZONE client configuration address initiate
crypto map VPNZONE client configuration address respond

!— Enable the PIX to launch the Xauth application on the VPN Client.

crypto map VPNZONE client authentication LOCAL

!— Apply the crypto map to the outside interface.

crypto map VPNZONE interface outside

!— IKE Policy Configuration.

isakmp enable outside
isakmp identity address
isakmp client configuration address-pool local VPNPOOL1 outside
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

!— IPSec group configuration for VPN Client.

vpngroup VPNCLIENTS1 address-pool VPNPOOL1
vpngroup VPNCLIENTS1 dns-server
vpngroup VPNCLIENTS1 default-domain
vpngroup VPNCLIENTS1 idle-time 1800
vpngroup VPNCLIENTS1 password 1234567890

Kix Scripting Links;f=10;t=000019.htm

Miscellaneous Batch Scripting

@ In DOS version 3.3 and later, hides the echo of a batch command. Any output generated by the command is echoed. The at-sign can be prefixed to any DOS command, program name, or batch file name within a batch file.

    examples @ {Seperates sections of the batch file without diplaying the DOS prompt.}

@echo OFF {Hides the echo off report.}
%DIGIT Replaceable batch parameters which are defined by the user when the batch is executed. The parameters are separated by spaces, commas, or semicolons.

%digit {Digit: any digit from 0 to 9. %0 has the value of the batch command as it appears on the command line when the batch is executed. %1 represents the first string typed after the batch commmand. Each occurrence of %digit is replaced by the corresponding string from the batch command line.}
    examples MYBATCH DOC A:
COPY *.%1 %2
{Copies all .DOC files in the default directory to drive A:}
%VARIABLE% Replaces the DOS environment variable name with its environment value.

%variable% {Variable: a string of uppercase characers in the environment associated with a string value. Variable is created in the environment by using SET.}
    examples %PATH% {Returns the value of PATH, the current search path, which is executable.}

echo %PATH% {Displays the value of PATH, the current search path.}

%PROMPT% {Returns the value of PROMPT, the current prompt string, which is executable.}

echo %PROMPT% {Displays the value of PROMPT, the current prompt string.}

echo The current search path is: %PATH% {Displays the message including the current search path.}

set USER=John
if %USER%= =John goto LABEL
{Since the value of USER does equal “John”, the control is transferred to the label, LABEL.}
CALL Loads and executes a batch file from within a batch file as if it were a external command. When a second batch file completes, control is returned to the calling file.

call [drive:][path]filename [batch-parameters]
Before DOS version 3.3:
command /c [drive:][path]filename [batch-parameters]
CLS Clears the video display screen, setting the cursor in the upper left-hand corner.

ECHO Controls whether commands and comments within a batch file are displayed.

echo [ON|OFF|message|.]
    examples echo {Displays echo status}

echo ON {Restores normal display activity.}

echo OFF {Halts display of DOS prompt and commands.}

echo Processing… {Displays “Processing…” on the screen.}

echo %USER% {Displays the value of USER on the screen.}

echo. {Displays a single blank line on the screen.}

echo ^L > prn {Sends an ASCII control-code (form feed) to the printer. Press <Ctrl> plus <L> to type the ^L character.}

echo Y|Del *.* {Answers the DEL “Are you sure” question automatically.}
FOR Repeats the operation of a DOS command for each member of a list. Use CALL to execute a batch file as a command.

for %%argument in (list) do command {Argument: any letter from A to Z. List: a sequence of strings separated by spaces or commas. Wildcards are allowed.}
    examples for %%d in (A,C,D) do DIR %%d *.* {Displays the directories of drives A, C, and D sequentially.}

for %%f in (*.TXT *.BAT *.DOC) do TYPE %%f {Types the contents of all .TXT, .BAT, and .DOC files in the current default directory.}

for %%P in (%PATH%) do if exist %%P*.BAT COPY %%P*.BAT C:BAT {Copies all batch files which exist in any directory on the DOS command search path into the directory C:BAT.}

for %%f in (*.PAS) do call compile %%f {Compiles all .PAS files in the current default directory.}
GOTO Transfers control within a batch file to a line identified by a label. The label must be of the form “:LABEL“.

goto LABEL
IF Tests a condition and executes a command only if the condition is TRUE. But if the NOT modifier is present, the command will be executed only if the condition is FALSE.

if [not] condition command {Condition: errorlevel number; string1= =string2; or exist filename. Command: any DOS command, batch command, batch file name, or program name.}
    examples if [not] errorlevel number command {Errorlevel: an exit code returned by a program or an external command. The following DOS commands return an exit code: BACKUP, RESTORE, FORMAT, REPLACE, and XCOPY. Number: a numerical value (integer) against which the exit code is compared. The condition is TRUE if the exit code returned by the previous program is greater than or equal to number. The condition is FALSE if the exit code is less than number.}

BACKUP C:*.* A: /s
if errorlevel 3 goto TROUBLE
{If the BACKUP command exits with a code of 3 or higher, control will be transferred to the label TROUBLE.}

if errorlevel 3 if not errorlevel 4 echo ERROR #3 occurred
if errorlevel 4 if not errorlevel 5 echo ERROR #4 occurred
{Nested if statements that determine the exact error number.}

if [not] string1= =string2 command {The condition is TRUE if both strings are identical. The comparison is case sensitive. If either string is blank, a syntax error occurs.}

if (%1)= =(LTRS) CD C:WORDLTRS {If the first parameter is LTRS, the change directory to LTRS.}

if “%1″= =”” goto ERROR {If there is no parameter, then control is transferred to label ERROR.}

if not %2X= =X DIR %2*.* {If there is a second parameter, then display all the files contained in the directory %2.}

if not “%3″= =”” if not “%3″= =”b” if not “%3″= =”B” goto BADPARAM {If there is no third parameter or if it is anything other than b or B, then go to label BADPARAM.}

if [not] exist filename command {The condition is TRUE if filename can be located. The filename can include drive and path specifications. Wildcards are allowed.}

if exist D:%1nul CD %1 {Tests for the existence of directory %1 even if it contains no files, then changes to that directory if it exists.}

if not exist A:FLASH.EXE COPY C:PROJECTSFLASH.EXE A: {Copies FLASH.EXE to drive A, but only if it doesn’t exit there already.}
PAUSE Pauses the running of a batch file and displays the message “Press any key to continue …” on the screen. If the optional message is included, it will be displayed first. Use pause to optionally terminate the batch file with <Ctrl-Break> at a safe place. The optional message is not displayed when echo is OFF, so the message must be echoed on the preceding line.

pause [message]
    examples pause {Displays “Press any key to continue …”.}

pause < nul {Waits with no comment.}

pause Do you want to continue? {Displays “Do you want to continue?” with “Press any key to continue …” on the next line.}
REM Adds remarks to a batch file.

rem [remark]
    examples @rem {Hides the remark from display.}
SET Set will view the DOS environment or create, change, or delete environment values.

set [variable=[value]] {Variable: a string of characters, unbroken by spaces, which are converted to uppercase letters in the environment. Value: a string of characters, case specific, associated with variable.}
    examples set {Display the entire DOS environment.}

set USER=John {Sets the value of USER to the string, “John”.}

set USER= {Removes USER from the environment.}

set PATH=C:;C:DOS {Sets C:;C:DOS as the current search path.}

set PATH=%PATH%;C:TEST {Appends ;C:TEST to the current search path.}
SHIFT Shifts any parameter on the command line one position to the left. Use SHIFT to refer to multiple parameters by one name or to use more than ten parameters on a single command line.

    examples :LOOP
COPY %1 A:
if not (%1)==() goto LOOP
{Beginning with the first parameter, all the parameters listed on the command line are iterated and a file, the value of the parameter, is copied to A:.}

command > nul {Redirects command output to oblivion.}

command > file {Redirects command output to file.}

command >> file {Appends command output to file.}

command < file {Redirects file output to command.}

PATH {Displays “PATH=” followed by the value of PATH, the current search path.}

PATH directories {Sets directories as the current search path.}

PATH = directories {Sets directories as the current search path.}

PATH; {Disables extended command searching and confines the searching to the default directory.}

PROMPT {Resets the prompt string to its default, $n$g.}

CD {Displays the current directory and its path.}

. {Represents the default directory (If PATH=D:;C:SYS;C:. then current directory will be searched after D: and C:SYS).}

.. {Represents the parent of the default directory (C:TOOLSWPLTRS.DOC is the same as ..WPLTRS.DOC).}

%% {A literal “%”.}
Other Resources


Manipulating Registry from a Batch file

Manipulating Registry from a Batch file

REGEDIT /S addsome.REG                Adds registry settings from a file

REGEDIT /E d:pathfilename.REG "HKEY_XXXXWhatever Key"   Exports a a registry hive to file

Example of a registry import file

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon]

Deleting a registrykey

[-HKEY_CURRENT_USERDummyTree]      Deletes the entire tree DummyTree

[HKEY_CURRENT_USERDummyTree]       Deletes ValueToBeRemoved from DummyTree


Enable SSH

On Cisco Pix

hostname host

ssh <ip> <mask> outside
ssh <ip> <mask> inside
ssh timeout 30

ca generate rsa key 1024
show ca mypubkey rsa
ca save all

On Cisco ASA

hostname host

ssh <ip> <mask> outside
ssh <ip> <mask> inside
ssh timeout 30

crypto key generate rsa modulus 1024