Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

ACS 3.0 Windows, VPN, Dialup and external databases

I am trying to set up a VPN solution, and most of it is just fine.

We have a VPN concentrator, that authenticates against CSACS, and that in turn backs off authentication against a Windows domain. Unknown user policy lets new users dynamically create themselves.

The VPN is using the Cisco VPN client. The concentrator is visible on the internet,and that bit works great.

The difficult bit is that we are also trying to set up dial access using a telco for users that do not have their own internet access.

I am having trouble getting that to authenticate against the Windows domain.

If I manually create a user and add a chap password, that user can authenticate OK. If I manually add a chap password the user can authenticate.

If the user does not exist I get "CS user unknown", if I have not manually added a password but the user exists I get "CS CHAP password invalid", so it looks like the problem is backing this authentication off against the domain, but I cannot see why.

The Telco's radius server is in my network configuration as a aaa client, and is configured almost the same as the VPN concentrators (the difference is the VPN Conc is set up as "RADIUS (Cisco VPN 3000)" and the radius server as "RADIUS (IETF)"

Any thoughts?

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ACS 3.0 Windows, VPN, Dialup and external databases

You can't use CHAP to authenticate against a Windows domain, the way CHAP requires the password to be stored is incompatible with Windows passwords. You'll have to set up each dial-up users Dial-Up Networking connection to use MSCHAP or PAP.

2 REPLIES
Cisco Employee

Re: ACS 3.0 Windows, VPN, Dialup and external databases

You can't use CHAP to authenticate against a Windows domain, the way CHAP requires the password to be stored is incompatible with Windows passwords. You'll have to set up each dial-up users Dial-Up Networking connection to use MSCHAP or PAP.

Re: ACS 3.0 Windows, VPN, Dialup and external databases

Thanks - I found that in the documentation late Friday. For anyone else hitting this http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/csnt30/user/o.htm#784244

A matter of confusion was thrown into the mix because of inconsistent connections from the telco. Depending on geographic location, and connection method (ISDN or POTS) users were using PAP or CHAP, so some managed to connect and others failed.

Unfortunately the Telco do not offer ms-chap.

Thanks.

186
Views
0
Helpful
2
Replies
CreatePlease login to create content