VPN 3005 integrated auth with ACS and RSA Server

Answered Question

Hi guys, i have an VPN 3005, using the version 4.7.2.B version, and i have the following problem.

When a remote user using the Cisco VPN client try to connect to the VPN 3005, he must to try twice to authenticate.

At the first try, the user is authenticated, but the connection is inmediatly termined by the peer.

After the secund try, the user is authenticated ok.

I have this problem too.
0 votes
Correct Answer by ggilbert about 9 years 7 months ago

Pablo,

When you use RADIUS authentication on the concentrator, the ACS server will automatically send all the user attributes to the concentrator for the user that is connecting. There is no need to have Authorization to be configured on the RADIUS server.

According to the logs, seems like the IP pool is the problem.

Group [GroupP] User [tuser] Obtained IP addr (192.168.32.128) prior to initiating Mode Cfg (XAuth enabled)

Group [GroupP] User [tuser] Sending subnet mask (255.255.255.224) to remote client

Group [GroupP] User [tuser] Attempted to assign network or broadcast IP address, removing (192.168.32.128) from pool

After this, I see the client negotiation again and the client gets connected.

So, the IP address is removed from the pool. Please make sure you configure a pool that doesnt have any broadcast IP address.

Thanks

Gilbert

Rate it, if this post helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
ggilbert Mon, 02/26/2007 - 12:37

Pablo,

Are you trying to do Authentication and Authorization?

Can you please enable the logs on the concentrator to see what is happening.

Some logs that would help AUTH, AUTHDBG, IKE, IKEDBG, IPSEC, IPSECDBG - severity 1-13.

Cheers

Gilbert

Correct Answer
ggilbert Tue, 02/27/2007 - 07:00

Pablo,

When you use RADIUS authentication on the concentrator, the ACS server will automatically send all the user attributes to the concentrator for the user that is connecting. There is no need to have Authorization to be configured on the RADIUS server.

According to the logs, seems like the IP pool is the problem.

Group [GroupP] User [tuser] Obtained IP addr (192.168.32.128) prior to initiating Mode Cfg (XAuth enabled)

Group [GroupP] User [tuser] Sending subnet mask (255.255.255.224) to remote client

Group [GroupP] User [tuser] Attempted to assign network or broadcast IP address, removing (192.168.32.128) from pool

After this, I see the client negotiation again and the client gets connected.

So, the IP address is removed from the pool. Please make sure you configure a pool that doesnt have any broadcast IP address.

Thanks

Gilbert

Rate it, if this post helps.

Actions

This Discussion