setting up VPN external groups on AAA server. Odd behavior.
The other day I was configuring a test VPN 3000 with external groups that are configured on a RADIUS server, let's call one group SALES with group password 1234, which I have configured on the VPN 3000 as 'external' as well. I've assigned a few users to this group (call them Jack and Mary). So far no users can authenticate successfully (authentication fail).
After spending hours troubleshooting the problem, I configured a new user whose name is SALES and password is 1234 (same as the group) and assigned to group sales, got that config from a template. After doing so, Jack and Mary can authenticate and establish the tunnel.
The problem is fixed now but my question is why is this requirement? Does this mean that with every external group I create, I have to create a user with the same name as that group and assign it to the group so that the rest of the users in that group can authenticate normally?
I tried looking for answers on the web but so far I've found none.
Re: setting up VPN external groups on AAA server. Odd behavior.
When you configure group as external, Group authentication also takes place by the Authentication server. It is an expected behavior.
I am sure, if you look into the fail logs on your authentication server, you must have error log mentioning that authentication for user 'SALES' failed, when you did not have that user account created on the authentication server.
"Configuring external groups means configuring them on an external authentication server such as RADIUS."
"If you are using an external authentication server, keep in mind that usernames and group names must be unique. When naming a group, do not pick a name that matches the name of any external user; and conversely, when assigning a name to an external user, do not choose the name of any existing group."
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :