Configuring Radius Authentication for VPN on Cisco Pix

Cisco Secure PIX Firewall 6.x and Cisco VPN Client 3.5 for Windows with Microsoft Windows 2000 and 2003 IAS RADIUS Authentication

Configuring the PIX Firewall

PIX Firewall
pixfirewall(config)# write terminalBuilding configuration...: Saved:PIX Version 6.1(1)nameif ethernet0 outside security0nameif ethernet1 inside security100enable password 8Ry2YjIyt7RRXU24 encryptedpasswd 2KFQnbNIdI.2KYOU encryptedhostname pixfirewallfixup protocol ftp 21fixup protocol http 80fixup protocol h323 1720fixup protocol rsh 514fixup protocol rtsp 554fixup protocol smtp 25fixup protocol sqlnet 1521fixup protocol sip 5060fixup protocol skinny 2000names!--- Issue the access-list command to avoid !--- Network Address Translation (NAT) on the IPSec packets.access-list 101 permit ip pager lines 24interface ethernet0 autointerface ethernet1 automtu outside 1500mtu inside 1500ip address outside address inside audit info action alarmip audit attack action alarmip local pool ippool history enablearp timeout 14400global (outside) 1!--- Binding access list 101 to the NAT statement to avoid !--- NAT on the IPSec packets.nat (inside) 0 access-list 101Nat (inside) 1 0 0route outside 1route inside xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00timeout uauth 0:05:00 absolute!--- Enable access to the TACACS+ and RADIUS TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius !--- Associate the partnerauth protocol to partnerauth protocol radius aaa-server partnerauth (inside) host cisco123timeout 5no snmp-server locationno snmp-server contactsnmp-server community publicno snmp-server enable trapsfloodguard enable!--- Tell PIX to implicitly permit IPSec traffic.sysopt connection permit-ipsecno sysopt route dnat!--- Configure a transform set that defines how the traffic will be protected.crypto ipsec transform-set myset esp-des esp-md5-hmac!--- Create a dynamic crypto map and specify which !--- transform sets are allowed for this dynamic crypto map entry.crypto dynamic-map dynmap 10 set transform-set myset!--- Add the dynamic crypto map set into a static crypto map set.crypto map mymap 10 ipsec-isakmp dynamic dynmap!--- Enable the PIX to launch the Xauth application on the VPN Client.crypto map mymap client authentication partnerauth!--- Apply the crypto map to the outside interface.crypto map mymap interface outside!--- IKE Policy Configuration.isakmp enable outsideisakmp identity addressisakmp policy 10 authentication pre-shareisakmp policy 10 encryption desisakmp policy 10 hash md5isakmp policy 10 group 2isakmp policy 10 lifetime 86400!--- IPSec group configuration for VPN Client.vpngroup vpn3000 address-pool ippoolvpngroup vpn3000 dns-server vpn3000 wins-server vpn3000 default-domain cisco.comvpngroup vpn3000 idle-time 1800vpngroup vpn3000 password ********telnet timeout 5ssh timeout 5terminal width 80Cryptochecksum:3f9e31533911b8a6bb5c0f06900c2dbc: end [OK]pixfirewall(config)#

Configuring the Microsoft Windows 2000 Server with IAS

Follow these steps to configure Microsoft Windows 2000 server with IAS. This is a very basic setup to use a Windows 2000 IAS server for RADIUS authentication of VPN users. If you require a more complex design, please contact Microsoft for assistance.

Note: These steps assume that IAS has already been installed on the local machine. If not, please add this through Control Panel > Add/Remove Programs.

  1. Launch the Microsoft Management Console by going to Start > Run and typing mmc and then clicking OK.
  2. To add the IAS service to this console, go to Console > Add Remove Snap-In….
  3. Click Add. This will launch a new window with all of the available standalone snap-ins. Click Internet Authentication Service (IAS) and click Add.
  4. Make sure Local Computer is selected and click Finish. Then click Close.
  5. Notice that IAS is now added. Click OK to see that it has been added to the Console Root.


  6. Expand the Internet Authentication Service and right-click on Clients. Click New Client and input a name. The choice of name really does not matter; it will be what you see in this view. Make sure to select RADIUS and click Next.
  7. Fill in the Client address with the PIX interface address that the IAS server is connected to. Make sure to select RADIUS Standard and add the shared secret to match the command you entered on the PIX:
    aaa-server partnerauth (inside) host cisco123 timeout 5

    Note: In this example, “cisco123” is the shared secret.


  8. Click Finish to return to the Console Root.
  9. Click Remote Access Policies in the left pane and double-click the policy labeled Allow access if dial-in permission is enabled.
  10. Click Edit Profile and go to the Authentication tab. Under Authentication Methods, make sure only Unencrypted Authentication (PAP, SPAP) is checked.

    Note: The VPN Client can only use this method for authentication.


  11. Click Apply and then OK twice.
  12. To modify the users to allow connection, go to Console > Add/Remove Snap-in. Click Add and then select the Local Users and Groups snap-in. Click Add. Make sure to select Local Computer and click Finish. Click OK.
  13. Expand Local User and Groups and click the Users folder in the left pane. In the right pane, double-click the user you want to allow access.
  14. Click the Dial-in tab and select Allow Access under Remote Access Permission (Dial-in or VPN).


  15. Click Apply and OK to complete the action. You can close the Console Management screen and save the session, if desired.
  16. The users that you modified should now be able to access the PIX with the VPN Client 3.5. Please keep in mind that the IAS server only authenticates the user information. The PIX still does the group authentication.

Configuring the Microsoft Windows 2003 Server with IAS

Follow these steps to configure Microsoft Windows 2003 server with IAS.

Note: These steps assume that IAS has already been installed on the local machine. If not, please add this through Control Panel > Add/Remove Programs.

  1. Go to Administrative Tools > Internet Authentication Service and right-click on RADIUS Client to add a new RADIUS client. When you have typed the client information, click OK.

    The example below shows a client named “Pix” with IP address Client-Vendor is set to RADIUS Standard, and the shared secret is “cisco123.”


  2. Go to Remote Access Policies, right-click on Connections to Other Access Servers, and select Properties.
  3. Ensure that the option for Grant Remote Access Permissions is selected.
  4. Click Edit Profile and check the following settings.
    • On the Authentication tab, check Unencrypted authentication (PAP, SPAP).
    • On the Encryption tab, ensure that the option for No Encryption is selected.

    Click OK when you are finished.


  5. Add a user into the local computer account by going to Administrative Tools > Computer Management > System Tools > Local Users and Groups.. Right-click on Users and select New Users.
  6. Add user with Cisco password “cisco123” and check the following profile information.
    • On the General tab, ensure that the option for Password Never Expired is selected instead of the option for User Must Change Password.
    • On the Dial-in tab, select the option for Allow access (or leave default setting of Control access through Remote Access Policy).

    Click OK when you are finished.



This section provides information you can use to confirm your configuration is working properly.

Certain show commands are supported by the Output Interpreter Tool ( registered customers only) , which allows you to view an analysis of show command output.

  • show crypto isakmp sa – View all current IKE security associations (SAs) at a peer.
  • show crypto ipsec sa – View the settings used by current security associations.


This section provides information you can use to troubleshoot your configuration. For additional information, refer to Troubleshooting the PIX to Pass Data Traffic on an Established IPSec Tunnel.

Troubleshooting Commands

Certain commands are supported by the Output Interpreter Tool ( registered customers only) , which allows you to view an analysis of show command output.

Note: Before issuing debug commands, please see Important Information on Debug Commands and IP Security Troubleshooting – Understanding and Using debug Commands.

  • debug crypto ipsec – View the IPSec negotiations of phase 2.
  • debug crypto isakmp – View the ISAKMP negotiations of phase 1.
  • debug crypto engine – View the traffic that is encrypted.


Leave a Reply