Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN3000 Authentication: Group Delimiter function ??

Dear All,

Here is my test result regarding group delimiter:

Settings as follow:

1. Checked "enable group lookup" at System->General->Authentication

Group delimiter "@" selected.

2. Checked "Strip Realm" at Groups-> General setting (group name is testgroup)

3. Set Group-> Ipsec-Authentication to "SDI" so that the user authentication will be done by an external ACE/Server

4. create a user named "testuser" at the ACE/Server.

At VPN Remote Client, I entered the following at each tests:

Test 1 :

Group : "testgroup" , User: "testuser"

Result: No problem on authentication.

Test 2:

Group: "testgroup" , User: "testuser@testgroup"

Result: No problem on authentication

Test 3:

Group: "testgroup" , User: "testuser@whatevergroup"

Result: User can not authenticate

Question:

From Test 1 and Test 2 `s result , a user that is not using an "@" and, a user that is using an "@" delimiter will authenticat just fine. How to force a user to use an "@" delimiter , so that a user that is not using "@" delimiter will be rejected ?

Appreciate for any help

Regards,

1 REPLY
New Member

Re: VPN3000 Authentication: Group Delimiter function ??

According to the following link http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/3_5/config/usermgt.htm it shows the "Strip Realm" as being needed if the server is unable to parse delimeters. So you might want to try it without the Strip Realm.

197
Views
0
Helpful
1
Replies