Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

RSA Radius and VPN3005

Hi!

I have a problem getting authentication between RSA Radius 5.0 and a VPN 3005. I can ping from 3005 to Radius server and vice versa.

After setting everything up, I tried to do the first elementary thing.

To test the authentication from the VPN3005. In the logg I can read the following.

Server name = 10.5.212.55, type = RADIUS,

group = none (global server), status = Not-in-service

11656 04/01/2003 09:17:54.370 SEV=4 AUTH/11 RPT=298 62.119.92.67

Accounting failed: Reason = No active server found

handle = 730, server = 10.5.212.55, user = test

11665 04/01/2003 09:18:53.370 SEV=4 AUTH/15 RPT=690

Server name = 10.5.212.55, type = RADIUS,

group = none (global server), status = Active

I´ve also tried from the "outside"

Initializing the connection...

Initiating TCP to 62.127.101.212, port 10000...

Contacting the gateway at 62.127.101.212...

Remote peer is no longer responding.

And then i can read the following in the logg

11697 04/01/2003 09:26:51.870 SEV=3 AUTH/5 RPT=32 62.119.92.67

Authentication rejected: Reason = Unspecified

handle = 733, server = 10.5.212.55, user = BComTech, domain = <not specified>

11699 04/01/2003 09:26:51.870 SEV=4 IKEDBG/65 RPT=30 62.119.92.67

Group [BComTech]

IKE AM Responder FSM error history (struct &0x3948ed8)

<state>, <event>:

AM_DONE, EV_ERROR_CONT

AM_DONE, EV_ERROR

AM_BLD_MSG2, EV_GROUP_FAIL

AM_BLD_MSG2, NullEvent

I guess I´m missing something pretty much basic.

Anyone who can enlighten me?

Best regards

Johan

4 REPLIES
New Member

Re: RSA Radius and VPN3005

Hello Johan,

I see that in the log no active server found. That can mean that the ACS server doesn't know what NAS can connect to the ACE server. So create the NAS server on the ACS server as a client.

Also create the ACS server as a client on the server itself. Take care of the key wich is case sensitive.

Another thing to test is if the token is working fine. There is a possibility to test the token direct on the server before testing it on the vpn.

Then you can see that the token is working fine and also synchronised with the server. After that you can try it from the vpn.

New Member

Re: RSA Radius and VPN3005

Thanks for the input!

I managed to get it to work before reading your reply.

Because it's my first time installing a RSA server I did some basic mistakes.

I found a useful pdf document on RSA Website that cleared up a few things.

So now everthing works fine.

Thanks anyway, appreciate the respons

Best Regards

Johan

New Member

Re: RSA Radius and VPN3005

What was the solution ????

New Member

Re: RSA Radius and VPN3005

Hi again!

Well, there was quiet much to alter.

First the "Group" created in the 3005, I had to change that from "External" type to "internal". Then choose SDI authentication under the "IPSEC" tab.

Then, under Configuration/system/servers/authentication then select SDI on "server type". Before I had chosen "Radius".

Further on, create a group in the RSA server with the same name as in the VPN 3005 and assign the users into that group as well.

Assuming you are more competent than me, I guess I don't have to go into the details regarding creating users, assigning tokens and so on.

Though, if you have more questions I'd be happy to answer them.

Kind regards

Johan

229
Views
0
Helpful
4
Replies
CreatePlease to create content