VPN 3005 + ACS 3.0 for Authentication/Administration purposes

mredel · ‎07-24-2002

I'm using the configuration found at:

http://www.cisco.com/warp/public/471/vpn3k_tacacs.html

And it does not work. The concentratrator (3005) is configured so that our Cisco VPN client users authenticate against ACS, and this works just fine. What doesn't work, is when I try to set the concentrator up so that people logging into to the concentrator to adminster it, get authenticated against ACS, instead of the local acount DB. The sample config seems to specify that there has to be local account on the concentrator called admin, with admin rights. This doesn't make much sense, as the whole point of ACS is to use it's account DB (usernames/passwords), for authentication, no the local DB.

paqiu · ‎07-24-2002

The reason why you need check "admin" in the 3000 concentrator, is no using it as a username to pass the authentication.

Just make sure "AAA Access Level" 15 is configed correct.

It function like a group , it need to be matching in the TACACS server group settings. in the example it matches TACACS server group 2 "previlege level 15".

The username in the TACACS server can be anything. "Jack", "Tom", not necessary to be "admin". As far as you put all the users into "Group2" which configed "previlege level " 15, it will be working fine.

I guess, using "admin" as username configed in the TACACS+ server is a little bit confusing here.

I have put our discussion into the feedback for this URL on CCO.

I belive our technical witer will improve it better and reduce the confusion.

Best Regards,

mredel · ‎07-25-2002

Paigu,

Thank you for clearing that up. Based on what you said, I am doing everything correctly now. However, I still get an error when the 3005 tries to contact the ACS server which is:

Authentication Error: No response from server

I know that the VPN concetrator has connectivity to the ACS box, because our VPN users are getting authenticated succesfully.

Thanks