Possible? Same client with separate secrets for service separatio n?

Burrill, Jim jim at adventistcare.org
Fri Jul 22 05:04:05 CEST 2005

We have a large number of users in an ldap database and we have successfully
connected freeradius with it.  We have also been able to connect a specific
client ip address to a specific LDAP group to allow or disallow access to a
specific device based on group membership.   What we have found is that in
the case of PIX it tends to be all or nothing.  If one can authenticate thru
the firewall for vpn purposes, they can also authenticate by ssh for admin
purposes.  Is it possible to configure a cisco Pix with separate radius
definitions and auth against Freeradius using separate secrets so you can
separate to specific groups?  We've attempted it and it seems to find the
first client on the list and ignores the second.  Any Ideas?  

The PIX unfortunalty does not give any indication of type of connection thru
NAS-Port (on pix this is just a session number).   Only hope of separation
it appears is thru calling-station-id, but that appears to be a real messy

Below is a sample of what we've be attempting to do.

Thanks for any assistance!

Cisco Pix 6.3 Firewall

Pertinent pix configuration items
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host secret1 timeout 10

aaa-server RADIUSVPN protocol radius
aaa-server RADIUSVPN (inside) host  secret2 timeout 10

aaa authentication ssh console RADIUS LOCAL

crypto map outside_map client authentication RADIUSVPN

client {
        secret          =  secret1
        shortname       =  pixssh
        nastype         = Cisco

client {
        secret          =  secret2
        shortname       =  pixvpn
        nastype         = Cisco

More information about the Freeradius-Users mailing list