The set up I have at the moment is VPN 3030, ACS 3.1 server, and CA server.
I can not get the VPN client to authenticate the user against the ACS server which is mapped to the domain controller.
On the 3030 VPN concentrator I have created a group called test group this is using internal Authentication, the reason why it is internal is because I am using CA server, if I use External I have no options to configure IPsec on the ACS. I have gone for internal for the group on the VPN 3030 concentrator.
Also on the group on the concentrator I have highlighted it and added the ACS as the RADIUS authentication server and preformed a test put in the user name and password and it worked this was from the concentrator.
So I go to my VPN client and connect, it communicated with the concentrator and then prompts me to authenticate, I put in the same user name and password but is fails, in the event log on the concentrator I get this error
Authentication rejected: Reason = User was not found
handle = 84, server = Internal, user = rick.jones, domain = <not specified>
What I dont understand is when I was using Preshared keys on the group in the concentrator and it was external so the group was on the ACS it all worked. But I wanted to use Certificates so I had to make the group internal so I could configure all the IPSEC settings. But now authentication is not working
If you're using certs then the user is going to be mapped to the group that matches the OU in their certificate (by default), although you can set up other group mappings under the Config - Policy Mgmt - Group Matching section.
Once you're sure the user is being mapped to the correct group, then leave this group as Internal, but go under the IPSec tab and set Authentication to Radius. Then any user in this group will authenticate to the Radius server that you've defined.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :