VPN Concentrator 3005 using Radius

j.knapp · ‎01-12-2003

I am setting up a vpn concentrator 3005 and am running into a bit of trouble getting radius authentication to work within groups. Where you add authentication methods such as radius, or edit the internal authentication, the test function of radius works fine. But when you go down to the group and then try and test the authentication through there it does not work. I am using IAS on win2k server for radius. I currently have a 3com ras1500 that works fine with radius.

Here is the notice in the event log for radius working under where you initially setup authentication types:

Event Type: Information

Event Source: IAS

Event Category: None

Event ID: 1

Date: 1/11/2003

Time: 2:38:44 PM

User: N/A

Computer: PRIMUS

Description:

User testuser was granted access.

Fully-Qualified-User-Name = htfd.local/Domain OU's/Information Services/testuser

NAS-IP-Address = 192.168.0.28

NAS-Identifier = <not present>

Client-Friendly-Name = frank3005.htfd.local

Client-IP-Address = 192.168.0.28

NAS-Port-Type = Virtual

NAS-Port = <not present>

Policy-Name = Allow access if dial-in permission is enabled

Authentication-Type = PAP

EAP-Type = <undetermined>

Here is the error in the event log when trying to test from under the group:

Event Type: Warning

Event Source: IAS

Event Category: None

Event ID: 2

Date: 1/11/2003

Time: 2:39:17 PM

User: N/A

Computer: PRIMUS

Description:

User testuser was denied access.

Fully-Qualified-User-Name = HLCJ\testuser

NAS-IP-Address = 192.168.0.28

NAS-Identifier = <not present>

Called-Station-Identifier = <not present>

Calling-Station-Identifier = <not present>

Client-Friendly-Name = frank3005.htfd.local

Client-IP-Address = 192.168.0.28

NAS-Port-Type = Virtual

NAS-Port = <not present>

Policy-Name = <undetermined>

Authentication-Type = PAP

EAP-Type = <undetermined>

Reason-Code = 16

Reason = There was an authentication failure because of an unknown user name or a bad password.

I have tried both the Cisco and Microsoft settings under IAS, but it didn’t make a difference. The cd that came with the vpn 3005 said it came with a radius server, but all that was in the folder was an ini file and a text file. Cany anyone help?

gfullage · ‎01-12-2003

It doesn't make sense that the Test function on the Authentication Server screen works, but the same button doesn't work on the Group Authentication Server screen, the button does exactly the same thing on both screens.

Are you sure you added in the secret key correctly on the Group Auth screen, that could be the only reason I could see for that happening.

How have you defined Radius authentication for this particular group? Modify the group and make sure it's set to Internal on the Identity tab. Then go under the IPSec tab and set Authentication to Radius. That should be all you need to do.

j.knapp · ‎01-13-2003

Thank you very much, that did the trick.

What I was doing was setting the group to external authentication because that is what the menu said to do. When you go to modify the group and you are on the first tab you have to select which type of authentication. The options are internal or external. The note next to it is this "External groups are configured on an external authentication server (e.g. RADIUS). Internal groups are configured on the VPN 3000 Concentrator's Internal Database." So accordingly I selected external. Does this mean this first menu part is incorrect, or am I just confused?

gfullage · ‎01-13-2003

You're confused, but you're not alone :-)

Setting a group to External means that the entire groups parameters (all the settings on all the other tabs) is configured on a Radius server. It doesn't mean that users in that group will be authenticated against the Radius server, that is set up as I described earlier.

In an ACS Radius server, you can define every group parameter on the Radius server, then just add the group name in as a username and send back all those attributes to the 3000. Not many people do it, most just get confused and set it to EXternal when all they really want is to have the users in that group authenticate externally, while the group parameters itself are still set locally on the 3000.

j.knapp · ‎01-13-2003

Seems to make pretty good sense now, thanks a lot for the quick answers.

j.knapp · ‎01-14-2003

Thanks muchly. Please close the case.

BTW, you may want to make a note to have the "docs guys" explain that "authentication vs. group params" in the config example... even a footnote would have cleared it up for me :)