Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member



When creating a group on the 3005 and then specifying external - I go to the VPN client and try to authenticate and I dont even get an Xauth password prompt. When I go to the CSACS server under failed attempts I see that the 3005 sent the group name "group1" as the username.

Why is the 3005 sending the group name as the username to CSACS?

Is it possible to specify on the 3005 to use external for the group and then let CSACS authenticate the user?

Community Member

Re: VPN 3005, CSACS RADIUS, VPN Client


I have it working.

This is strange and I dont know if it is the proper way to do things.

Because the 3005 was sending the group name as the username to CSACS. I decided to create a user with the username of group1 on the CSACS.

When trying to connect from the client I get past AM, it then prompts me for a password (Xauth) and I type in another user on the CSACS user1 and VOILA! it works.

Is this the proper way to configure it though?

Community Member

Re: VPN 3005, CSACS RADIUS, VPN Client

It seems as this is the correct way because when I applied my knowledge and tried to use a group name configured on the 3005 as the Xauth password it (3005) rejected it and told me that I cannot authenticate using that which matches a group name.

Is there anyway to give myself 5 points? :-)

Community Member

Re: VPN 3005, CSACS RADIUS, VPN Client

ok, I need to talk to you then, because I'm having a problem where I can get the group to authenicate but I can't get the client to pop up a xauth dialog for username and password. I feel like I'm doing everything correct. I can get the vpn up with just the group auth. Where could I be going wrong?

Cisco Employee

Re: VPN 3005, CSACS RADIUS, VPN Client

If all you want to do is authenticate users within a 3000 group to an external ACS server, then set the group to Internal (yes, Internal) on the 3000. Disregard the wording on this screen, it just confuses everyone. Go back in and modify this group and you'll find you have extra tabs that you can set. Under the IPSec tab, set Authentication to Radius. That's all you need to do, and is the correct way to do it.

Setting the 3000 group to External means you want to configure all the group parameters on an external ACS server, not that you want to authenticate users in that group to an external server. You'll notice that when you set it to EXternal, most of the configuration tabs disappear, that's because the 3000 is assuming that you're going to configure everything on the ACS server and send it down. If you do this (and you can, it's just that most people dont), then yes, you need to create a user on ACS with the 3000 group name and password, and send back all the 3000 group attributes back. Add the 3000 as a Cisco VPN3000 NAS into ACS, then go under Interface Config - Radius (Cisco VPN3000) section, and check all the attributes in the User column. Now when you modify the 3000 user, you'll be able to set all those 3000 group attributes just as if you were in the 3000 GUI, these will be returned to the 3000 when it tries to authenticate the group user/password, and everything will work normally. Again though, not many people do this, and most people just get confused with the Internal/External setting.

To repeat, if you just want to authenticate VPN users to the external Radius server, set the 3000 group to Internal and under the IPSec tab set Authentication to Radius.

If you really want to define all group parameters on the ACs server, then, and only then, set the 3000 group to External and make sure the ACS server is set up to send back all those group parameters as Radius attributes.

CreatePlease to create content