IPSEC VPN auth fails if RADIUS server not first in list

jmcconnaughey · ‎10-23-2008

Base group IPSEC tab has authentication set to "Internal." RemoteAccess group IPSEC tab has authentication set to "RADIUS with Expiry." WebVPN group IPSEC tab has authentication set to "Internal."

Configuration/System/Servers/Authentication has two entries: RADIUS server first, internal second. I need internal to be first because I have my WebVPN users configured on the internal database. However, if RADIUS server is not first, RemoteAccess group users fail to authenticate.

I tried configuring the RADIUS server on the Authentication servers button for the RemoteAccess group in Configuration/User Management/Groups, but get the same result.

Basically, my question is: how can I authenticate IPSEC remote access VPN users with RADIUS and WebVPN users with internal database?

Thank you,

Joshua

Farrukh Haroon · ‎10-25-2008

I don't think the behavior you have described is correct, "However, if RADIUS server is not first, RemoteAccess group users fail to authenticate. ". If all configurations are correct the remote users should land in the RemoteAccess which has authentication set to Radius. Whatever is set in the global default parameters (internal db) should not affect it.

However the converse is not true for webvpn, for webvpn the default method has to be correct and topmost, as mentioned here:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a008055641a.shtml#webfail

If possble run debugs for RA users too find out the exact problem. As seen on this link, Cisco does not even change the default method:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00800c3917.shtml

Regards

Farrukh