Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Does VPN3015 support TACACS+ server (ACS) for VPN client 3.5.2 connection?

I'm connecting VPN client 3.5.2B to VPN concentrator ver.3.5.2. and i also have a ACS server with TACACS+, are they going to work fine together, or VPN3015 only support RADIUS AAA?

any suggestion would be appreciate

Silvia

5 REPLIES
Community Member

Re: Does VPN3015 support TACACS+ server (ACS) for VPN client 3.5

At this moment, the VPN client authentication only support standard Radius protocol. For TACACS+, it can be used as adminstrators authentication in the VPN 3000 concentrators.

Best Regards,

Community Member

Re: Does VPN3015 support TACACS+ server (ACS) for VPN client 3.5

Hi Paul,

Thanks for your reply, but do you have any sample config that show how to AAA CVPN client with RADIUS server through the Concentrator, i been trying all this time, but i everytime when i change the authentication for INTERNAL to RADIUS under GROUP and IPSEC tab, then i got this message "Remote Peer terminated connection", and the follow log is what i got from the concentrator.

any suggestion

33 07/10/2002 10:33:49.290 SEV=4 AUTH/15 RPT=44

Server name = 172.16.4.13, type = RADIUS,

group = SyscomIPSEC, status = Active

34 07/10/2002 10:38:23.470 SEV=4 CONFIG/17 RPT=7

Done writing configuration file, Success.

35 07/10/2002 10:38:58.340 SEV=4 AUTH/15 RPT=45

Server name = 172.16.4.13, type = RADIUS,

group = SyscomIPSEC, status = Not-in-service

37 07/10/2002 10:38:58.340 SEV=4 AUTH/9 RPT=1 64.52.125.122

Authentication failed: Reason = No active server found

handle = 52, server = 172.16.4.13, user = Tang

39 07/10/2002 10:38:58.340 SEV=4 IKE/167 RPT=1 64.52.125.122

Group [SyscomIPSEC] User [Tang]

Remote peer has failed user authentication -

check configured username and password

42 07/10/2002 10:39:07.600 SEV=4 AUTH/9 RPT=2 64.52.125.122

Authentication failed: Reason = No active server found

handle = 54, server = (none), user = Tang

44 07/10/2002 10:39:07.600 SEV=4 IKE/167 RPT=2 64.52.125.122

Group [SyscomIPSEC] User [Tang]

Remote peer has failed user authentication -

check configured username and password

47 07/10/2002 10:39:14.890 SEV=4 AUTH/9 RPT=3 64.52.125.122

Authentication failed: Reason = No active server found

handle = 56, server = (none), user = Tang

49 07/10/2002 10:39:14.890 SEV=4 IKE/167 RPT=3 64.52.125.122

Group [SyscomIPSEC] User [Tang]

Remote peer has failed user authentication -

check configured username and password

Cisco Employee

Re: Does VPN3015 support TACACS+ server (ACS) for VPN client 3.5

Here is a guide for you.

http://www.cisco.com/warp/customer/707/CiscoSecure.html

I would suggest configuring the server, and then doing a test on the server.

there is a test tab once you have defined a server under | config | system | Servers |Authentication | --> select the server you created and then click on test. This would allow you to confirm that the concentrator can talk to the radius server.

Regards,

Community Member

Re: Does VPN3015 support TACACS+ server (ACS) for VPN client 3.5

Hi edadios,

According to the samle you send to me, they are using ACS 2.5, i'm just wondering is 2.4 would work the same? I did what you told me to test the communication between ACS and concentrator, but it fail! no active server is found. any suggestion or idea, am i using the right version of server?

Siliva

Community Member

Re: Does VPN3015 support TACACS+ server (ACS) for VPN client 3.5

You are trying to authenticate the GROUP, not just a user. In order to authenticate a group of the VPN3000 on ACS 2.6 you should configure the group mapping and enable the support of AV (Attribute/Value pair) of VPN3000 on the ACS. You can configure groups locally on the VPN3000, leave the Authentication INTERNAL for the groups but for the users enable RADIUS. In this case you just have to configure the users in ACS and do not bother about AVs.

157
Views
0
Helpful
5
Replies
CreatePlease to create content