Have an interesting problem and was wondering if anyone else has seen the same behavior and knows of a solution...
Cisco VPN 3015
Cisco ACS 3.1/Win2K
RSA ACE/5.1 Advanced
Have set the VPN Concentrator to use TACACS+ for all admin function logins. It contacts the Cisco ACS, which in turn sends the request to the RSA server.
We have hit-or-miss authentication success with this setup. Sometimes it works, other times it does not. In all cases, the RSA server reports a successful authentication AND the ACS also reports a successful authentication. The VPN 3015 will either authenticate, or timeout.
The strange part is that as soon as I switch the user being authenticated to use an internal password on the ACS (instead of authenticating against the RSA server), we get 100% authentication success. Have tried various versions of 3015 code and also been from 5.0 to 5.1 in the RSA server.
Anyone seen this or anything similar? Bug? My stupidity?
I have considered this, however, as I had said before, I get 100% success in the logs on the ACS, even when usng the RSA as the authentication source. It seems to be related to the communucation between the ACS and the VPN3000, but there are really no settings that I am aware of to play with, other than the TACACS timeout settings on the VPN3000, which I have tried adjusting with no success. The only indication of a problem is that the authentication failes on the VPN3000, even though the ACS and the RSA indicate success.
The fact that ACS logs show 100% success all the time just indicates that ACS gets the response from RSA in all cases and transfers the response back to the VPN3K.
The fact that the VPN3K doesn't always get the response (in cases where it indicates timeout) , just shows that the VPN3K doesn't wait enough time to get _all_ the responses from ACS , which ACS does send.
Try to match a failed authentication message from the VPN3K to a snippet from the AUTH.log file (taken with full logging) and see if the time it took ACS to process the request (including RSA process) is above what is configured in the VPN3K Tacacs timeout.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :