Cisco Support Community
Community Member

3000 using ACS to authenticate against NT domain



3000 concentrator accepting clients using a native W2K pptp client.

Configured a RADIUS (ACS v3.0 server) to accept auth requests from teh 3000.

The group on ACS is called pptp, the group on 3000 is called pptp.


When the pptp (3000) group is configured to use internal authentication - it works fine and teh ACS authenticates teh users (against NT) I do this by using the test button on the RADIUS config within the pptp group on the 3000.

I know it works as the ACS logs confirm this and a user who isn't a member of teh NT group fails authentication.

When I switch the 3000 group to external (as it should be) the external authentication fails with teh following error "Authentication Error: No active server found"

According to teh docs teh group should be external to use a RADIUS server

Despite this, if you look in teh logs on ACS the user is being autheticated.

This is all internal - I have a user in the 3000 group (nothing to do with NT or ACS) who can authenticate externally using his 3000 user/pass.

I am confused as this error seems incongrous - when internal it works, although it shouldn't really, when external, it should work and then fails.

Anyone any ideas

Cisco Employee

Re: 3000 using ACS to authenticate against NT domain

You're getting confused with the wording of the External/Internal on the 3000 group (and don't worry, you're not the first).

If you want users in the pptp (3000) group to authenticate to an external radius server, then set this group to be Internal (yes, Internal). Set the Authentication method under the IPSec tab to Radius. This is all you need to do.

Setting the 3000 pptp group to External means that you want to define all the group parameters (under all the different tabs) on an external Radius server, not to authenticate users in that group on an external Radius server. you'll notice that after you set the group to External most of the tabs and configuration options disappear, this is because the 3000 is expecting that all these parameters are now defined externally, and the Radius server will tell it how it is configured. Hardly anyone actually does this, but a LOT of people get confused over it.

To say again, if you want to authenticate users in this group to a Radius server, set the group to Internal and the Authentication under the IPSec tab to Radius.

CreatePlease to create content