When creating a group on the 3005 and then specifying external - I go to the VPN client and try to authenticate and I dont even get an Xauth password prompt. When I go to the CSACS server under failed attempts I see that the 3005 sent the group name "group1" as the username.
Why is the 3005 sending the group name as the username to CSACS?
Is it possible to specify on the 3005 to use external for the group and then let CSACS authenticate the user?
It seems as this is the correct way because when I applied my knowledge and tried to use a group name configured on the 3005 as the Xauth password it (3005) rejected it and told me that I cannot authenticate using that which matches a group name.
ok, I need to talk to you then, because I'm having a problem where I can get the group to authenicate but I can't get the client to pop up a xauth dialog for username and password. I feel like I'm doing everything correct. I can get the vpn up with just the group auth. Where could I be going wrong?
If all you want to do is authenticate users within a 3000 group to an external ACS server, then set the group to Internal (yes, Internal) on the 3000. Disregard the wording on this screen, it just confuses everyone. Go back in and modify this group and you'll find you have extra tabs that you can set. Under the IPSec tab, set Authentication to Radius. That's all you need to do, and is the correct way to do it.
Setting the 3000 group to External means you want to configure all the group parameters on an external ACS server, not that you want to authenticate users in that group to an external server. You'll notice that when you set it to EXternal, most of the configuration tabs disappear, that's because the 3000 is assuming that you're going to configure everything on the ACS server and send it down. If you do this (and you can, it's just that most people dont), then yes, you need to create a user on ACS with the 3000 group name and password, and send back all the 3000 group attributes back. Add the 3000 as a Cisco VPN3000 NAS into ACS, then go under Interface Config - Radius (Cisco VPN3000) section, and check all the attributes in the User column. Now when you modify the 3000 user, you'll be able to set all those 3000 group attributes just as if you were in the 3000 GUI, these will be returned to the 3000 when it tries to authenticate the group user/password, and everything will work normally. Again though, not many people do this, and most people just get confused with the Internal/External setting.
To repeat, if you just want to authenticate VPN users to the external Radius server, set the 3000 group to Internal and under the IPSec tab set Authentication to Radius.
If you really want to define all group parameters on the ACs server, then, and only then, set the 3000 group to External and make sure the ACS server is set up to send back all those group parameters as Radius attributes.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...