08-05-2008 12:32 PM - edited 03-10-2019 04:01 PM
Dear everybody,
We are using vpn concentrator for RAS vpn and authenticate users by means of X.509 certificates with RADIUS authorization (without XAUTH authentication). We have one vpngroup configured localy on vpn 3005 concentrator and by means of RADIUS AV pairs I change some configuration parameters like split-tunnel configuration. I would like to also force some users to use XAUTH by means of IPSec-Authentication RADIUS av pair. But if I try to send this AV pair during authorization phase it seems that vpn concentrator ignore it. I guess that this is because authorization phase goes after authentication and concentrator is unable to restart XAUTH. So my questions is whether I could use IPSec-Authentication av pair this way or not. Any information would be appreciated.
Thank you very much for you help and excuse my English.
Take care
ZR
08-05-2008 07:19 PM
i think better to use it with Xauth then the AV pair will be associated with each user or user group
08-06-2008 11:32 PM
Thank you for your help.
But according to my testing and various documentation reading I have came to conclusion that the IPSec-Authentication AV pair can not be used this way (this AV pair is probably used only with external vpn groups), because authorization goes after authentication. The reason why I would like to use XAUTH is that by means of User-Name AV pair send in Access-Request I can give RADIUS server "hint" which reply AV pairs I want to send back to concentrator. With X.509 certificate authentication we are using, the User-Name AV pair is always the same. Of course I can use combination of X.509 certificate with XAUTH login name and password, but this is not accepted by our IT manager. Because the amount of users who would require different configuration parameters in different situations is very small (actually just one) we decided to issue secondary X.509 certificate for that user which will also solve our problem.
ZR
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: