Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1787
Views
0
Helpful
3
Replies

User Authentication fails in L2TP/IPsec conf with ACS

Yossi.Mor
Level 1
Level 1

‎02-01-2004 04:38 AM - edited ‎02-21-2020 01:01 PM

Hi forum,

I have setup deployment for l2tp/IPsec were wireless client authenticate versus ACS server via VPN 3000 concentrator.

ACS is configured to search for users in Active Directory.

The problem is that only after 5-6 times the user is successfully authenticated.

I get the following error on the concentrator:

1212 01/30/2004 16:40:39.370 SEV=6 AUTH/6 RPT=622 69.78.5.93 Authentication challenge: handle = 972, server = 10.129.45.200, user = vnrcorl@c sl.gov

1214 01/30/2004 16:40:43.430 SEV=4 AUTH/15 RPT=457 Server name = 10.129.45.200, type = RADIUS, group = none (global server), status = Not-in-service

1216 01/30/2004 16:40:43.430 SEV=4 AUTH/9 RPT=283 69.78.5.93 Authentication failed: Reason = No active server found handle = 972, server = (none), user = vnrcorl@csl.gov

1218 01/30/2004 16:40:43.430 SEV=4 PPP/46 RPT=118 Authentication Subsystem error: No active server found

Is anyone have a suggestion for that instability behavior?

Regards.

Yossi Mor

Labels:
0 Helpful
3 Replies 3

omsantos
Level 1
Level 1

‎02-02-2004 02:45 PM

The meaning of this error is that the concentrator attempted to send the authentication request to the ACS server but didn't receive a reply from it. What do you see in the ACS logs? Do you see that it receives the authentication request? If so, do you see the authentication passing when quering Active Directory? If so, then probably a sniffer trace between the ACS and concentrator should be collected to see if the ACS is indeed sending the authentication accept message back to the concentrator or if it never sends it. This can be caused by many many many factors (i.e. sporadic connectivity problems between the cocentrator and ACS, ACS never receiving the reply from concentrator, etc).

0 Helpful

mlipsey
Level 1
Level 1

‎02-18-2004 11:28 AM

What version of code are you using where VPN Client authorization via an ACS Server is supported?

I have the latest from the web site today;

Cisco Systems, Inc./VPN 3000 Concentrator Version 4.1.1.Rel Feb 12 2004 17:54:39

And all I see as options for Client/Group authentication is Radius, NT Domain, SDI, Kerberos and Internal.

I'd love to use my ACS server for Client Authentication via TACACS, is that possible?

0 Helpful

Yossi.Mor
Level 1
Level 1
In response to mlipsey

‎02-19-2004 12:22 AM

Hi,

I am using on the VPN 3004 software version 4.0.

I belive that there si no problem to work with TACACS since acs support that protocol.I did not try that option.

Regards.

Yossi Mor

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents