×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Integration of VPN 3000 with IAS as RADIUS server

Unanswered Question
Mar 20th, 2007
User Badges:

Hi,

i am trying to use a IAS Radius server as Authorization server (only authorization, no authentication, i do authentication with another type of server) and i must include a field called "Common user password" in Servers|Authorization|Add/Modify window.

Documentation of VPN 300 configuration says that you must provide this password to the Radius server administrator, but I have to do this too!!!


Does anyone know how i can associate this password (in IAS server) to each user authorizing to this server??


Please, i have had a lot of problems with this.


Thanks and best regards,


Luis

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
kaachary Tue, 03/20/2007 - 12:57
User Badges:
  • Cisco Employee,

in most of the setups, single radius server is used for both authentication and authorization (because this is quite natural for RADIUS).


If you do need separate server for authorization - then let me just explain you what setting are expected for "Common User Password".



When VPN3000 is going to fetch authorization information from Authorization server, it

needs to send a username inside the query (this is obvious).

If Authorization server is also RADIUS server, then some password is needed (due to the nature of RADIUS protocol).


"Common User Password" options allows you to specify the same i.e. common password for

ALL users (for any username).

So administrator of RADIUS server (which is used for separate authorization) can

create your user's accounts with needed individual authorization attributes but with

simply same common password.


This is just to simplify RADIUS server config.

======

Other option is not to specify "common user password", in this case VPN3000 will use

"user1" as password for "user1", "user2" as password for "user2" ....and so on.


These settings are infact required when you have Authentication setup using

Certificates(SSL Client/WebVPN) and authorization needs to be done through a Radius server. Or in a setup where you have separate servers for Authentication and

Authorization(e.g. IPSec Clients).


Also, these settings are completely transparent to the users and they do not need to do anything on their side.


I hope this explains it.


*Please rate if helped.


-Kanishka

mj.jimenez Wed, 03/21/2007 - 03:55
User Badges:

Hi Kanishka,


thanks for your help, i understand now how it works and why it needs common password for authotization!


But now i have another problem: I have to configure Radius server too!!!


Do you know how i can do what you said in the frst option? I can't change all authorized user's passwords in Active Directory (obvious), each user has his own password.


I think it's a big problem.


Thanks ins advance and best regards,


Luis

mj.jimenez Thu, 03/22/2007 - 08:27
User Badges:

Hi Kanishka and the rest of you,


i've configured my concentrator with separated authentication and authorization, and configured my authorization server as you said me, with a common user password. I have test the server from Concentrator and authorize succesfully.


When i login WebVPN, i start my session as a member of the group defined in the "Class" attribute, but without permissions, so i have to introduce my username&password to access shares of fileservers defined in the group.


Does anybody know what's going on?

Actions

This Discussion