Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Integration of VPN 3000 with IAS as RADIUS server


i am trying to use a IAS Radius server as Authorization server (only authorization, no authentication, i do authentication with another type of server) and i must include a field called "Common user password" in Servers|Authorization|Add/Modify window.

Documentation of VPN 300 configuration says that you must provide this password to the Radius server administrator, but I have to do this too!!!

Does anyone know how i can associate this password (in IAS server) to each user authorizing to this server??

Please, i have had a lot of problems with this.

Thanks and best regards,


Cisco Employee

Re: Integration of VPN 3000 with IAS as RADIUS server

in most of the setups, single radius server is used for both authentication and authorization (because this is quite natural for RADIUS).

If you do need separate server for authorization - then let me just explain you what setting are expected for "Common User Password".

When VPN3000 is going to fetch authorization information from Authorization server, it

needs to send a username inside the query (this is obvious).

If Authorization server is also RADIUS server, then some password is needed (due to the nature of RADIUS protocol).

"Common User Password" options allows you to specify the same i.e. common password for

ALL users (for any username).

So administrator of RADIUS server (which is used for separate authorization) can

create your user's accounts with needed individual authorization attributes but with

simply same common password.

This is just to simplify RADIUS server config.


Other option is not to specify "common user password", in this case VPN3000 will use

"user1" as password for "user1", "user2" as password for "user2" ....and so on.

These settings are infact required when you have Authentication setup using

Certificates(SSL Client/WebVPN) and authorization needs to be done through a Radius server. Or in a setup where you have separate servers for Authentication and

Authorization(e.g. IPSec Clients).

Also, these settings are completely transparent to the users and they do not need to do anything on their side.

I hope this explains it.

*Please rate if helped.


Community Member

Re: Integration of VPN 3000 with IAS as RADIUS server

Hi Kanishka,

thanks for your help, i understand now how it works and why it needs common password for authotization!

But now i have another problem: I have to configure Radius server too!!!

Do you know how i can do what you said in the frst option? I can't change all authorized user's passwords in Active Directory (obvious), each user has his own password.

I think it's a big problem.

Thanks ins advance and best regards,


Community Member

Re: Integration of VPN 3000 with IAS as RADIUS server

Hi Kanishka and the rest of you,

i've configured my concentrator with separated authentication and authorization, and configured my authorization server as you said me, with a common user password. I have test the server from Concentrator and authorize succesfully.

When i login WebVPN, i start my session as a member of the group defined in the "Class" attribute, but without permissions, so i have to introduce my username&password to access shares of fileservers defined in the group.

Does anybody know what's going on?

CreatePlease to create content