cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
444
Views
0
Helpful
4
Replies

VPN 3005 integrated auth with ACS and RSA Server

pablo.perez
Level 1
Level 1

Hi guys, i have an VPN 3005, using the version 4.7.2.B version, and i have the following problem.

When a remote user using the Cisco VPN client try to connect to the VPN 3005, he must to try twice to authenticate.

At the first try, the user is authenticated, but the connection is inmediatly termined by the peer.

After the secund try, the user is authenticated ok.

1 Accepted Solution

Accepted Solutions

Pablo,

When you use RADIUS authentication on the concentrator, the ACS server will automatically send all the user attributes to the concentrator for the user that is connecting. There is no need to have Authorization to be configured on the RADIUS server.

According to the logs, seems like the IP pool is the problem.

Group [GroupP] User [tuser] Obtained IP addr (192.168.32.128) prior to initiating Mode Cfg (XAuth enabled)

Group [GroupP] User [tuser] Sending subnet mask (255.255.255.224) to remote client

Group [GroupP] User [tuser] Attempted to assign network or broadcast IP address, removing (192.168.32.128) from pool

After this, I see the client negotiation again and the client gets connected.

So, the IP address is removed from the pool. Please make sure you configure a pool that doesnt have any broadcast IP address.

Thanks

Gilbert

Rate it, if this post helps.

View solution in original post

4 Replies 4

ggilbert
Cisco Employee
Cisco Employee

Pablo,

Are you trying to do Authentication and Authorization?

Can you please enable the logs on the concentrator to see what is happening.

Some logs that would help AUTH, AUTHDBG, IKE, IKEDBG, IPSEC, IPSECDBG - severity 1-13.

Cheers

Gilbert

Hi Gilbert. The Vpn Concentrator has enabled authentication and authorization.

All is integrated using CiscoSecure ACS Release 3.3(2) Build 2 and RSA Authentication Manager 6.1.1.

About the logs, is attached:

Pablo,

When you use RADIUS authentication on the concentrator, the ACS server will automatically send all the user attributes to the concentrator for the user that is connecting. There is no need to have Authorization to be configured on the RADIUS server.

According to the logs, seems like the IP pool is the problem.

Group [GroupP] User [tuser] Obtained IP addr (192.168.32.128) prior to initiating Mode Cfg (XAuth enabled)

Group [GroupP] User [tuser] Sending subnet mask (255.255.255.224) to remote client

Group [GroupP] User [tuser] Attempted to assign network or broadcast IP address, removing (192.168.32.128) from pool

After this, I see the client negotiation again and the client gets connected.

So, the IP address is removed from the pool. Please make sure you configure a pool that doesnt have any broadcast IP address.

Thanks

Gilbert

Rate it, if this post helps.

Gilbert, that was the problem.

I changed the pool settings at the concentrator and at the the following attempt was successful

Pablo

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: