3000Concentrator - How to tell which auth server being used

Answered Question
Jan 12th, 2009
User Badges:

We own several 3000-series concentrators. Today we had a major issue where users could not connect via Remote Access. Because we didn't have DHCP scopes specified in the concentrator, it (apparently) was pulling DHCP from the auth server being used.


Because we had 8 authentication servers in our server list, I couldn't tell which server was causing the issue.


Is there ANY way to find this information in the concentrator? I ended up having to connect to every single one...

Correct Answer by Ivan Martinon about 8 years 5 months ago

When you go to Configuration | User Management, you will see the defined groups in there, if you highlight the group you desire and then on the right click on the button "authentication server" you can add the authentication server that this particular group will use.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Ivan Martinon Mon, 01/12/2009 - 14:52
User Badges:
  • Cisco Employee,

Other than setting Authentication logs and go through the logs, there is no way to tell what Authentication server your CVPN is using at that time. But it really depends on whether you have it assigned to the group, if it is globally defined, if they are the same type of servers.

tylerlucas Tue, 01/13/2009 - 08:04
User Badges:

Thank you for the reply! That clears things up a lot for me.


One other quick scenario:

Suppose there are three authentication servers, and suppose that each auth server belongs to a different domain. If three users log in and all attempt to use NT credentials, one from each domain, will it automatically use the "correct" respective auth servers?

Ivan Martinon Tue, 01/13/2009 - 08:40
User Badges:
  • Cisco Employee,

They will use the authentication server that:


1) is assigned to the group (if any)


or


2) the first authentication server on the list.


The CVPN does not differentiate the authentication server based on domains, tipically the user would enter DOMAIN\USER to authenticate but the CVPN cannot be a member of any domain to strip this and send it to the correct domain, instead it will just forward DOMAIN\USER to the authentication server that first match the request.

tylerlucas Tue, 01/13/2009 - 09:17
User Badges:

Thanks again for the response :)


Last question:

How do I assign which auth server is associated with a specific group? I see where to assign what 'type' of auth (NTBackup, etc), but not an area to assign a specific server to a specific group (I'm looking in group config).

Correct Answer
Ivan Martinon Tue, 01/13/2009 - 09:22
User Badges:
  • Cisco Employee,

When you go to Configuration | User Management, you will see the defined groups in there, if you highlight the group you desire and then on the right click on the button "authentication server" you can add the authentication server that this particular group will use.

tylerlucas Tue, 01/13/2009 - 09:29
User Badges:

Ah, I had NO idea.


Thank you so much, you've been a huge help.

Actions

This Discussion