cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1310
Views
0
Helpful
1
Replies

VPN Authentication problem

rick.jones
Level 1
Level 1

Hi please help.

The set up I have at the moment is VPN 3030, ACS 3.1 server, and CA server.

I can not get the VPN client to authenticate the user against the ACS server which is mapped to the domain controller.

On the 3030 VPN concentrator I have created a group called test group this is using internal Authentication, the reason why it is internal is because I am using CA server, if I use External I have no options to configure IPsec on the ACS. I have gone for internal for the group on the VPN 3030 concentrator.

Also on the group on the concentrator I have highlighted it and added the ACS as the RADIUS authentication server and preformed a test put in the user name and password and it worked this was from the concentrator.

So I go to my VPN client and connect, it communicated with the concentrator and then prompts me to authenticate, I put in the same user name and password but is fails, in the event log on the concentrator I get this error

246 08/28/2003 18:12:04.690 SEV=3 AUTH/5 RPT=19 217.158.117.210

Authentication rejected: Reason = User was not found

handle = 84, server = Internal, user = rick.jones, domain = <not specified>

What I don’t understand is when I was using Preshared keys on the group in the concentrator and it was external so the group was on the ACS it all worked. But I wanted to use Certificates so I had to make the group internal so I could configure all the IPSEC settings. But now authentication is not working

Please help

Thanks

Rick.

1 Reply 1

gfullage
Cisco Employee
Cisco Employee

If you're using certs then the user is going to be mapped to the group that matches the OU in their certificate (by default), although you can set up other group mappings under the Config - Policy Mgmt - Group Matching section.

Once you're sure the user is being mapped to the correct group, then leave this group as Internal, but go under the IPSec tab and set Authentication to Radius. Then any user in this group will authenticate to the Radius server that you've defined.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: