Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2513
Views
0
Helpful
2
Replies

ACS 3.0 Windows, VPN, Dialup and external databases

Go to solution
paul.matthews
Level 5
Level 5

‎01-09-2003 12:58 AM - edited ‎03-10-2019 07:05 AM

I am trying to set up a VPN solution, and most of it is just fine.

We have a VPN concentrator, that authenticates against CSACS, and that in turn backs off authentication against a Windows domain. Unknown user policy lets new users dynamically create themselves.

The VPN is using the Cisco VPN client. The concentrator is visible on the internet,and that bit works great.

The difficult bit is that we are also trying to set up dial access using a telco for users that do not have their own internet access.

I am having trouble getting that to authenticate against the Windows domain.

If I manually create a user and add a chap password, that user can authenticate OK. If I manually add a chap password the user can authenticate.

If the user does not exist I get "CS user unknown", if I have not manually added a password but the user exists I get "CS CHAP password invalid", so it looks like the problem is backing this authentication off against the domain, but I cannot see why.

The Telco's radius server is in my network configuration as a aaa client, and is configured almost the same as the VPN concentrators (the difference is the VPN Conc is set up as "RADIUS (Cisco VPN 3000)" and the radius server as "RADIUS (IETF)"

Any thoughts?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎01-12-2003 05:08 PM

You can't use CHAP to authenticate against a Windows domain, the way CHAP requires the password to be stored is incompatible with Windows passwords. You'll have to set up each dial-up users Dial-Up Networking connection to use MSCHAP or PAP.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎01-12-2003 05:08 PM

You can't use CHAP to authenticate against a Windows domain, the way CHAP requires the password to be stored is incompatible with Windows passwords. You'll have to set up each dial-up users Dial-Up Networking connection to use MSCHAP or PAP.

0 Helpful

Go to solution
paul.matthews
Level 5
Level 5
In response to gfullage

‎01-13-2003 12:33 AM

Thanks - I found that in the documentation late Friday. For anyone else hitting this http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/csnt30/user/o.htm#784244

A matter of confusion was thrown into the mix because of inconsistent connections from the telco. Depending on geographic location, and connection method (ISDN or POTS) users were using PAP or CHAP, so some managed to connect and others failed.

Unfortunately the Telco do not offer ms-chap.

Thanks.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents