Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN3000 Authentication: Group Delimiter function ??

Dear All,

Here is my test result regarding group delimiter:

Settings as follow:

1. Checked "enable group lookup" at System->General->Authentication

Group delimiter "@" selected.

2. Checked "Strip Realm" at Groups-> General setting (group name is testgroup)

3. Set Group-> Ipsec-Authentication to "SDI" so that the user authentication will be done by an external ACE/Server

4. create a user named "testuser" at the ACE/Server.

At VPN Remote Client, I entered the following at each tests:

Test 1 :

Group : "testgroup" , User: "testuser"

Result: No problem on authentication.

Test 2:

Group: "testgroup" , User: "testuser@testgroup"

Result: No problem on authentication

Test 3:

Group: "testgroup" , User: "testuser@whatevergroup"

Result: User can not authenticate


From Test 1 and Test 2 `s result , a user that is not using an "@" and, a user that is using an "@" delimiter will authenticat just fine. How to force a user to use an "@" delimiter , so that a user that is not using "@" delimiter will be rejected ?

Appreciate for any help


New Member

Re: VPN3000 Authentication: Group Delimiter function ??

According to the following link it shows the "Strip Realm" as being needed if the server is unable to parse delimeters. So you might want to try it without the Strip Realm.