VPN Authentication and Authorisation from separate sources through ACS
I am on site with a client at part of a Crypto Card install. The multi-factor portion of the install is complete and we are having no problems. However the client has requested that they provide Authentication form the Crypto-Card Server via RADIUS through ACS and Authorization from their AD server via LDAP through ACS.
Currently our configuration is as follows:
CryptoCard token (configured with no pin)
VPN Concentrator: Group Configured for multi-factor with forced Authorization via RADIUS enabled. Group configured for Authentication via RADIUS with CC server as primary server in Unknown User Policy.
Group configured as Internal.
ACS Server: Currently configured to talk LDAP to AD (this is working for production VPN groups) and Radius to CC server (this is working for 1TP).
When we test a user name in the Authorization test mode on the concentrator it fails as an unknown user. We are confused why this is happening because the VPN clear sees the user name via ACS for normal Authentication.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...