03-20-2007 10:45 AM
Hi,
i am trying to use a IAS Radius server as Authorization server (only authorization, no authentication, i do authentication with another type of server) and i must include a field called "Common user password" in Servers|Authorization|Add/Modify window.
Documentation of VPN 300 configuration says that you must provide this password to the Radius server administrator, but I have to do this too!!!
Does anyone know how i can associate this password (in IAS server) to each user authorizing to this server??
Please, i have had a lot of problems with this.
Thanks and best regards,
Luis
03-20-2007 12:57 PM
in most of the setups, single radius server is used for both authentication and authorization (because this is quite natural for RADIUS).
If you do need separate server for authorization - then let me just explain you what setting are expected for "Common User Password".
When VPN3000 is going to fetch authorization information from Authorization server, it
needs to send a username inside the query (this is obvious).
If Authorization server is also RADIUS server, then some password is needed (due to the nature of RADIUS protocol).
"Common User Password" options allows you to specify the same i.e. common password for
ALL users (for any username).
So administrator of RADIUS server (which is used for separate authorization) can
create your user's accounts with needed individual authorization attributes but with
simply same common password.
This is just to simplify RADIUS server config.
======
Other option is not to specify "common user password", in this case VPN3000 will use
"user1" as password for "user1", "user2" as password for "user2" ....and so on.
These settings are infact required when you have Authentication setup using
Certificates(SSL Client/WebVPN) and authorization needs to be done through a Radius server. Or in a setup where you have separate servers for Authentication and
Authorization(e.g. IPSec Clients).
Also, these settings are completely transparent to the users and they do not need to do anything on their side.
I hope this explains it.
*Please rate if helped.
-Kanishka
03-21-2007 03:55 AM
Hi Kanishka,
thanks for your help, i understand now how it works and why it needs common password for authotization!
But now i have another problem: I have to configure Radius server too!!!
Do you know how i can do what you said in the frst option? I can't change all authorized user's passwords in Active Directory (obvious), each user has his own password.
I think it's a big problem.
Thanks ins advance and best regards,
Luis
03-22-2007 08:27 AM
Hi Kanishka and the rest of you,
i've configured my concentrator with separated authentication and authorization, and configured my authorization server as you said me, with a common user password. I have test the server from Concentrator and authorize succesfully.
When i login WebVPN, i start my session as a member of the group defined in the "Class" attribute, but without permissions, so i have to introduce my username&password to access shares of fileservers defined in the group.
Does anybody know what's going on?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide