VPN Concentrator & PPTP with Radius/SecurID/AD and msCHAPv2

Unanswered Question
Jan 29th, 2008

I have the following setup that needs assistance:

VPN concentrator 3005 running code 4.7.2.N latest

code. VPN public interface IP address is

VPN private interface IP address is

There is NO filter on the public interface.

On the network, I have a Cisco ACS

3.2 running win2k3 and an RSA SecurID Server.

ACS Server IP is and RSA Server

is The default gateway for these

server is The Win2k3 running ACS is also

an Microsoft Active Directory as well. I configured

the VPNc to use ACS radius server and external database

is the RSA securID server

I configured 3 different groups on the ACS, Native_ACS,

Active_Directory, and RSA_SecurID group. I configured

the ACS and the VPN concentrator according to this



I have 3 users, vpn3k is native ACS user, test1 is an

account on the RSA SecurID Server, and lcs1 is an account

on the AD server. When I tested the AAA authentication,

VPN concentrator tells me that all 3 accounts are good

Now I setup the concentrator for PPTP connection,

vpn3k and lcs1 users can connect just fine. However, test1

which is a SecurID account can NOT connect at all.

Another weird issue is that if I enable "msCHAPv2" in the

basegroup for PPTP, vpn3k can connect just fine, but lcs1

user which is an Active Directory account, can NOT connect

at al, even though clearly in the VPNc log, it states that

this user pass msCHAPv2 authetication:

437 01/29/2008 12:17:21.540 SEV=5 PPP/8 RPT=27

User [lcs1]

Authenticated successfully with MSCHAP-V2

Anyone know of a solid book/site regarding cisco VPN concentrator

for remote access for PPTP and IPSec? It looks to me that

even CCIE caliber people do not have a solid understanding of

the VPN concentrator due to many features/options that this device


But first and foremost, I need a solution to this issue. Thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
vkapoor5 Tue, 02/05/2008 - 06:55

The Cisco VPN 3000 Concentrator supports the Point-to-Point Tunnel Protocol (PPTP) tunneling method for native Windows clients. There is 40-bit and 128-bit encryption support available on these VPN Concentrators for a secured reliable connection.




This Discussion