Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Authentication passing on Cisco ACS but failing on VPN Concentrator.

G'day All,

I am experiencing a problem where users, within a couple of NT domains, are being authenticated against the Cisco ACS server (RADIUS) then the same users are failing authentication on the VPN Concentrator.

I am currently able to authenticate other NT domain users and AD users through the same ACS/VPN Concentrator pair.

What's going on?

The users that are passing on the ACS and failing on the VPN can be authenticated locally within the domain.

When I try a test authentication against the authentication server configured on the Concentrator, I get the following message returned:

Authentication Error: No response from server

However the user is definately passed on the ACS server.

3 REPLIES

Re: Authentication passing on Cisco ACS but failing on VPN Conce

Hi Kirby,

The error means "No response from server = There is no response from the selected server within the configured timeout and retry periods".

The server might be improperly configured or out of service, the network might be down or clogged, etc. Check the server configuration parameters, be sure the server is operating, check the network connections, etc

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_guide_chapter09186a00803ee1cf.html#wp1081667

When you need to use ACS to authenticate VPN users,you need to carefully check all required parameters. Sometimes it could due to small error, e.g exta space, wrong secret password and so on.

The 'Test' button is used to verify whether your VPN3K can really talk to ACS.

Since only the authentication is failing between VPN3K and ACS, it was normally due to config parameters which could be missing either in VPN or ACS (mismatch).

Check the following for both VPN3K and ACS:

1. VPN3K

Configuration | System | Servers : Authentication

Under 'Add', check for:

Server type: NT Domain

Server Port: 1645 (default). Can also use UDP 1812.

Server Secret : -> try to re-keyin again, no extra char or space

Verify:

2. ACS - make sure you add VPN3K under 'Network Configuration' as AAA Client. Besides hostname & IP< check other info like authentication server type - RADIUS (Cisco VPN 3000).

Also, make sure both can ping each other.

FYI, authentication server can also be assigned to individual group.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_guide_chapter09186a00803ee1f0.html#wp2396065

Rgds,

AK

New Member

Re: Authentication passing on Cisco ACS but failing on VPN Conce

G'day AK,

that is exactly what I did to resolve the problem.

About minutes after I posted this message, I went back to basics and monitored the athentication process from Monitoring|Statistics|Authentication.

I could see the requests being sent, retried and timing out.

Then I configured a longer timeout value against the server in question, and everything worked.

Cheers, for you input though, if I hadn't worked it out what you had written would have sorted it out.

Cheers, Kirby.

New Member

Re: Authentication passing on Cisco ACS but failing on VPN Conce

hi ,

when users trying to aithenticate from the concentrator, chnage the authentication parameter for the group to Internal.this u could do by selecting modify button for the group.

124
Views
5
Helpful
3
Replies