Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN 5000 and ACS 3.0 same user in multiple groups

I have a VPN 5000 authenticating to a windows 2000 acs box. I also have a dial ras box autheticating to acs. Is their a way users can authenticate with one user name and password and authenticate using this one user name and password to both the VPN 5000 and also the ras dial-up box. So far I can't seem to make this work. I have to create a static user account for either the dial-up or the VPN account. Since we are using a windows domain authentication, users can map drives to their workstation at work. but with a static account they have to use the the acs database to authenticate and do not use the windows domain.

2 REPLIES
Cisco Employee

Re: VPN 5000 and ACS 3.0 same user in multiple groups

The problem here is that a VPN user would have a service type of login and a dial in user would have a service type of framed. Since in radius you could only map one service per group, thus you need to groups to have the different services. A user however could only belong to one group, thus your issue. You could point the vpn 5K to another radius system, with the proper group setup and pointing to the same external database, and point the dial ras box to another radius server, but pointing to the same external db for authentication.

New Member

Re: VPN 5000 and ACS 3.0 same user in multiple groups

But depending on the RAS used, it may be able to to work. I have a 3640 with PRI+modems and a 5000. If a user is in the VPN group, they can also dial in to the PRI without problems.

88
Views
0
Helpful
2
Replies