Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
508
Views
0
Helpful
5
Replies

Does VPN3015 support TACACS+ server (ACS) for VPN client 3.5.2 connection?

tkpsimon
Level 1
Level 1

‎07-09-2002 08:36 AM - edited ‎02-21-2020 11:55 AM

I'm connecting VPN client 3.5.2B to VPN concentrator ver.3.5.2. and i also have a ACS server with TACACS+, are they going to work fine together, or VPN3015 only support RADIUS AAA?

any suggestion would be appreciate

Silvia

Labels:
0 Helpful
5 Replies 5

paqiu
Level 1
Level 1

‎07-09-2002 03:21 PM

At this moment, the VPN client authentication only support standard Radius protocol. For TACACS+, it can be used as adminstrators authentication in the VPN 3000 concentrators.

Best Regards,

0 Helpful

tkpsimon
Level 1
Level 1
In response to paqiu

‎07-10-2002 06:48 AM

Hi Paul,

Thanks for your reply, but do you have any sample config that show how to AAA CVPN client with RADIUS server through the Concentrator, i been trying all this time, but i everytime when i change the authentication for INTERNAL to RADIUS under GROUP and IPSEC tab, then i got this message "Remote Peer terminated connection", and the follow log is what i got from the concentrator.

any suggestion

33 07/10/2002 10:33:49.290 SEV=4 AUTH/15 RPT=44

Server name = 172.16.4.13, type = RADIUS,

group = SyscomIPSEC, status = Active

34 07/10/2002 10:38:23.470 SEV=4 CONFIG/17 RPT=7

Done writing configuration file, Success.

35 07/10/2002 10:38:58.340 SEV=4 AUTH/15 RPT=45

Server name = 172.16.4.13, type = RADIUS,

group = SyscomIPSEC, status = Not-in-service

37 07/10/2002 10:38:58.340 SEV=4 AUTH/9 RPT=1 64.52.125.122

Authentication failed: Reason = No active server found

handle = 52, server = 172.16.4.13, user = Tang

39 07/10/2002 10:38:58.340 SEV=4 IKE/167 RPT=1 64.52.125.122

Group [SyscomIPSEC] User [Tang]

Remote peer has failed user authentication -

check configured username and password

42 07/10/2002 10:39:07.600 SEV=4 AUTH/9 RPT=2 64.52.125.122

Authentication failed: Reason = No active server found

handle = 54, server = (none), user = Tang

44 07/10/2002 10:39:07.600 SEV=4 IKE/167 RPT=2 64.52.125.122

Group [SyscomIPSEC] User [Tang]

Remote peer has failed user authentication -

check configured username and password

47 07/10/2002 10:39:14.890 SEV=4 AUTH/9 RPT=3 64.52.125.122

Authentication failed: Reason = No active server found

handle = 56, server = (none), user = Tang

49 07/10/2002 10:39:14.890 SEV=4 IKE/167 RPT=3 64.52.125.122

Group [SyscomIPSEC] User [Tang]

Remote peer has failed user authentication -

check configured username and password

0 Helpful

edadios
Cisco Employee
Cisco Employee
In response to tkpsimon

‎07-10-2002 06:21 PM

Here is a guide for you.

http://www.cisco.com/warp/customer/707/CiscoSecure.html

I would suggest configuring the server, and then doing a test on the server.

there is a test tab once you have defined a server under | config | system | Servers |Authentication | --> select the server you created and then click on test. This would allow you to confirm that the concentrator can talk to the radius server.

Regards,

0 Helpful

tkpsimon
Level 1
Level 1
In response to edadios

‎07-12-2002 09:53 AM

Hi edadios,

According to the samle you send to me, they are using ACS 2.5, i'm just wondering is 2.4 would work the same? I did what you told me to test the communication between ACS and concentrator, but it fail! no active server is found. any suggestion or idea, am i using the right version of server?

Siliva

0 Helpful

dmitry
Level 1
Level 1
In response to tkpsimon

‎07-18-2002 01:00 PM

You are trying to authenticate the GROUP, not just a user. In order to authenticate a group of the VPN3000 on ACS 2.6 you should configure the group mapping and enable the support of AV (Attribute/Value pair) of VPN3000 on the ACS. You can configure groups locally on the VPN3000, leave the Authentication INTERNAL for the groups but for the users enable RADIUS. In this case you just have to configure the users in ACS and do not bother about AVs.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents