After software update, users are not longer recognized as members of group

Unanswered Question
Apr 22nd, 2007
User Badges:

Hi!


Today I updated the software version of our VPN 3060 from "Cisco Systems, Inc./VPN 3000 Concentrator Version 4.1.5.A Jul 21 2004 17:54:03" to "Cisco Systems, Inc./VPN 3000 Concentrator Version 4.1.7.Q Feb 20 2007 12:24:30".


After the update, users were no longer able to connect. The following error occurs:


547 04/22/2007 18:06:58.030 SEV=4 IKE/60 RPT=22 xx.xx.xx.xx

User ([email protected]) not member of group (Some Group), authentication failed.


This happens even though some moments before the group was found


543 04/22/2007 18:06:53.010 SEV=5 CERT/105 RPT=25

Group [A_VPN_Group] found for cert peer xx.xx.xx.xx by group match rule

issuer-cn="someca"


The logs of passed authentications at the ACS show:

04/22/2007 18:06:58 Authen OK [email protected] A_Windows_Group xx.xx.xx.xx [email protected] yy.yy.yy.yy[VPNC IP Address]


I don't now what may have happened. Have you got any clues?


Thanks in advance,


Manuel

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
b.hsu Fri, 04/27/2007 - 05:19
User Badges:
  • Silver, 250 points or more

It may due to Group Attribute configruation in ACS


If the Group Lock feature is enabled on the Group - Tunnel_Group, then the User must be part of Tunnel_Group to connect.


Refer these link:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_tech_note09186a00800948c1.shtml

http://www.cisco.com/en/US/tech/tk59/technologies_configuration_example09186a00800946a2.shtml

ciiscte_admin Fri, 04/27/2007 - 05:40
User Badges:

Thanks a lot. We disabled that feature and it all works perfectly again.

Actions

This Discussion