Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
378
Views
4
Helpful
3
Replies

Integration of VPN 3000 with IAS as RADIUS server

mj.jimenez
Level 1
Level 1

‎03-20-2007 10:45 AM

Hi,

i am trying to use a IAS Radius server as Authorization server (only authorization, no authentication, i do authentication with another type of server) and i must include a field called "Common user password" in Servers|Authorization|Add/Modify window.

Documentation of VPN 300 configuration says that you must provide this password to the Radius server administrator, but I have to do this too!!!

Does anyone know how i can associate this password (in IAS server) to each user authorizing to this server??

Please, i have had a lot of problems with this.

Thanks and best regards,

Luis

Labels:
0 Helpful
3 Replies 3

kaachary
Cisco Employee
Cisco Employee

‎03-20-2007 12:57 PM

in most of the setups, single radius server is used for both authentication and authorization (because this is quite natural for RADIUS).

If you do need separate server for authorization - then let me just explain you what setting are expected for "Common User Password".

When VPN3000 is going to fetch authorization information from Authorization server, it

needs to send a username inside the query (this is obvious).

If Authorization server is also RADIUS server, then some password is needed (due to the nature of RADIUS protocol).

"Common User Password" options allows you to specify the same i.e. common password for

ALL users (for any username).

So administrator of RADIUS server (which is used for separate authorization) can

create your user's accounts with needed individual authorization attributes but with

simply same common password.

This is just to simplify RADIUS server config.

======

Other option is not to specify "common user password", in this case VPN3000 will use

"user1" as password for "user1", "user2" as password for "user2" ....and so on.

These settings are infact required when you have Authentication setup using

Certificates(SSL Client/WebVPN) and authorization needs to be done through a Radius server. Or in a setup where you have separate servers for Authentication and

Authorization(e.g. IPSec Clients).

Also, these settings are completely transparent to the users and they do not need to do anything on their side.

I hope this explains it.

*Please rate if helped.

-Kanishka

mj.jimenez
Level 1
Level 1
In response to kaachary

‎03-21-2007 03:55 AM

Hi Kanishka,

thanks for your help, i understand now how it works and why it needs common password for authotization!

But now i have another problem: I have to configure Radius server too!!!

Do you know how i can do what you said in the frst option? I can't change all authorized user's passwords in Active Directory (obvious), each user has his own password.

I think it's a big problem.

Thanks ins advance and best regards,

Luis

0 Helpful

mj.jimenez
Level 1
Level 1
In response to kaachary

‎03-22-2007 08:27 AM

Hi Kanishka and the rest of you,

i've configured my concentrator with separated authentication and authorization, and configured my authorization server as you said me, with a common user password. I have test the server from Concentrator and authorize succesfully.

When i login WebVPN, i start my session as a member of the group defined in the "Class" attribute, but without permissions, so i have to introduce my username&password to access shares of fileservers defined in the group.

Does anybody know what's going on?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents