Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
421
Views
0
Helpful
3
Replies

VPN external groups on AAA server. odd behavior

Go to solution
banajahms
Level 1
Level 1

‎10-18-2008 07:22 PM - edited ‎02-21-2020 10:22 AM

Hi all,

The other day I was configuring a test VPN 3000 with external groups that are configured on a RADIUS server, let's call one group SALES with group password 1234, which I have configured on the VPN 3000 as 'external' as well. I've assigned a few users to this group (call them Jack and Mary). So far no users can authenticate successfully (authentication fail).

After spending hours troubleshooting the problem, I configured a new user whose name is SALES and password is 1234 (same as the group) and assigned to group sales, got that config from a template. After doing so, Jack and Mary can authenticate and establish the tunnel.

The problem is fixed now but my question is why is this requirement? Does this mean that with every external group I create, I have to create a user with the same name as that group and assign it to the group so that the rest of the users in that group can authenticate normally?

I tried looking for answers on the web but so far I've found none.

Any explanation would be appreciated.

Thanks

Mo

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni

‎10-19-2008 12:06 AM

Yes this is the way its done. You need to add the 'external' group define on the VPNC/ASA as a 'user' on the ACS. It is used to authenticate the 'group' name/password itself. Have a look at:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_tech_note09186a00800948c1.shtml

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00807f6e76.shtml

Regards

Farrukh

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni

‎10-19-2008 12:06 AM

Yes this is the way its done. You need to add the 'external' group define on the VPNC/ASA as a 'user' on the ACS. It is used to authenticate the 'group' name/password itself. Have a look at:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_tech_note09186a00800948c1.shtml

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00807f6e76.shtml

Regards

Farrukh

0 Helpful

Go to solution
banajahms
Level 1
Level 1
In response to Farrukh Haroon

‎10-19-2008 12:41 AM

OK... i see. I thought that because the external group is defined on the concentrator, the group authentication would happen on the device itself and only the user auth would take place on RADIUS server. but it seems that both group and user auth is done on the server. i understand now.

however, after reading the first link i know have another question. in the 4 steps of authentication, i understood steps 2 and 3 (authenticating the user and its group) but what is the group that is authenticated in steps 1 and 4?

thansk again Farruk for your clarification. i do appreciate it.

Mo

0 Helpful

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni
In response to banajahms

‎10-19-2008 02:44 AM

The first one is for authentication. Then at the last step the settings from the group to which the user belongs are applied. Its like authorization.

Regards

Farrukh

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents