Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Individual User Authentication from behind 3002

Do users behind a remote 3002 use the Base Group definition for Authentication Server choices? I have the Group defined as "Internal" to represent the user defined on the 3002, but I'm not sure where the users behind the 3002 are authenticating.

Any help will be greatly appreciated.

Thank you,

Per

3 REPLIES

Re: Individual User Authentication from behind 3002

Hi,

3002 can authenticate itself to the concentrator (no tokens, static password) or let users authenticate (they need to open a www to anything passing the client and the 3002 intercepts this and prompts for the password, that can use tokens).

To enable user authentication:

First, on Concentrator, under HW client tab, check: require individual user auth AND require interactive HW authentication.

This way the "user" of the 3002 client will not be used, but instead the info provided by the user.

The group's General -> Auth field specifies if the user is on the local database or on a radius server, SDI server and so on.

Please rate if this helped.

Also check http://cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a0080094297.shtml

Regards,

Daniel

New Member

Re: Individual User Authentication from behind 3002

Thanks for the quick reply, Daniel. I have some clarifying questions, if you don't mind.

First, I am not requiring interactive hardware authentication as I thought that would require a user's intervention to connect the 3002 to the concentrator. That is not my intention - I want the 3002 to automatically connect, but require the users behind it to authenticate prior to passing traffic through the tunnel.

For adding the Group's General Auth setting, I currently have it set for "Internal" as the 3002 user is defined on the 3030.

I currently have the Authentication Server for the GROUP defined as our Domain Controllers internally and the auth type is NT. I am moving authentication over to an IAS server doing RADIUS server. Given that I have this server defined at the System Servers level, my impression is that I can delete the Auth servers on the Group. My guess is that the users behind the 3002 will drop down to the Base Group where the Radius server is defined and all will be fine.

Am I correct in this assumption? My concern is that the group's IPSec->Auth field is set to "Internal" and I'm afraid I will break authentication for this group.

Re: Individual User Authentication from behind 3002

Hi,

The "requiring interactive hardware authentication" is needed if you use tokens on the users.

!!!!!! The 3002 will use the group name/pass, NOT the Authentication setting (internal, RADIUS and so on).

Now its the matter of authenticating the user (directly configuring the user on 3002 or ask for user authentication as they pass 3002)

As per the link I sent you:

"Users behind the Cisco VPN 3002 Hardware Client who want to send traffic through the VPN tunnel must first perform a user authentication with the use of a web browser. Open a web browser and go to the internal IP address of the Cisco VPN 3002 Hardware Client or to any IP address reachable through the VPN tunnel. "

The Group -> IPSEC -> Authentication if set on internal, the username/pass from the users will be matched with the local users on the concentrator.

Just add RADIUS authentication on the group (Group -> IPSEC -> Authentication), no need to use the base.

Check also: http://cisco.com/en/US/products/hw/vpndevc/ps2284/prod_configuration_examples_list.html#anchor12

Please rate if this helped.

Regards,

Daniel

121
Views
0
Helpful
3
Replies
CreatePlease login to create content