Re: RSA Radius and VPN3005

johanhenningsson · ‎04-01-2003

Hi!

I have a problem getting authentication between RSA Radius 5.0 and a VPN 3005. I can ping from 3005 to Radius server and vice versa.

After setting everything up, I tried to do the first elementary thing.

To test the authentication from the VPN3005. In the logg I can read the following.

Server name = 10.5.212.55, type = RADIUS,

group = none (global server), status = Not-in-service

11656 04/01/2003 09:17:54.370 SEV=4 AUTH/11 RPT=298 62.119.92.67

Accounting failed: Reason = No active server found

handle = 730, server = 10.5.212.55, user = test

11665 04/01/2003 09:18:53.370 SEV=4 AUTH/15 RPT=690

Server name = 10.5.212.55, type = RADIUS,

group = none (global server), status = Active

I´ve also tried from the "outside"

Initializing the connection...

Initiating TCP to 62.127.101.212, port 10000...

Contacting the gateway at 62.127.101.212...

Remote peer is no longer responding.

And then i can read the following in the logg

11697 04/01/2003 09:26:51.870 SEV=3 AUTH/5 RPT=32 62.119.92.67

Authentication rejected: Reason = Unspecified

handle = 733, server = 10.5.212.55, user = BComTech, domain = <not specified>

11699 04/01/2003 09:26:51.870 SEV=4 IKEDBG/65 RPT=30 62.119.92.67

Group [BComTech]

IKE AM Responder FSM error history (struct &0x3948ed8)

<state>, <event>:

AM_DONE, EV_ERROR_CONT

AM_DONE, EV_ERROR

AM_BLD_MSG2, EV_GROUP_FAIL

AM_BLD_MSG2, NullEvent

I guess I´m missing something pretty much basic.

Anyone who can enlighten me?

Best regards

Johan

r.vanwolferen · ‎04-03-2003

Hello Johan,

I see that in the log no active server found. That can mean that the ACS server doesn't know what NAS can connect to the ACE server. So create the NAS server on the ACS server as a client.

Also create the ACS server as a client on the server itself. Take care of the key wich is case sensitive.

Another thing to test is if the token is working fine. There is a possibility to test the token direct on the server before testing it on the vpn.

Then you can see that the token is working fine and also synchronised with the server. After that you can try it from the vpn.

johanhenningsson · ‎04-03-2003

Thanks for the input!

I managed to get it to work before reading your reply.

Because it's my first time installing a RSA server I did some basic mistakes.

I found a useful pdf document on RSA Website that cleared up a few things.

So now everthing works fine.

Thanks anyway, appreciate the respons

Best Regards

Johan

r.vanwolferen · ‎04-03-2003

What was the solution ????

johanhenningsson · ‎04-03-2003

Hi again!

Well, there was quiet much to alter.

First the "Group" created in the 3005, I had to change that from "External" type to "internal". Then choose SDI authentication under the "IPSEC" tab.

Then, under Configuration/system/servers/authentication then select SDI on "server type". Before I had chosen "Radius".

Further on, create a group in the RSA server with the same name as in the VPN 3005 and assign the users into that group as well.

Assuming you are more competent than me, I guess I don't have to go into the details regarding creating users, assigning tokens and so on.

Though, if you have more questions I'd be happy to answer them.

Kind regards

Johan