Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN 3005 integrated auth with ACS and RSA Server

Hi guys, i have an VPN 3005, using the version 4.7.2.B version, and i have the following problem.

When a remote user using the Cisco VPN client try to connect to the VPN 3005, he must to try twice to authenticate.

At the first try, the user is authenticated, but the connection is inmediatly termined by the peer.

After the secund try, the user is authenticated ok.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: VPN 3005 integrated auth with ACS and RSA Server

Pablo,

When you use RADIUS authentication on the concentrator, the ACS server will automatically send all the user attributes to the concentrator for the user that is connecting. There is no need to have Authorization to be configured on the RADIUS server.

According to the logs, seems like the IP pool is the problem.

Group [GroupP] User [tuser] Obtained IP addr (192.168.32.128) prior to initiating Mode Cfg (XAuth enabled)

Group [GroupP] User [tuser] Sending subnet mask (255.255.255.224) to remote client

Group [GroupP] User [tuser] Attempted to assign network or broadcast IP address, removing (192.168.32.128) from pool

After this, I see the client negotiation again and the client gets connected.

So, the IP address is removed from the pool. Please make sure you configure a pool that doesnt have any broadcast IP address.

Thanks

Gilbert

Rate it, if this post helps.

4 REPLIES
Cisco Employee

Re: VPN 3005 integrated auth with ACS and RSA Server

Pablo,

Are you trying to do Authentication and Authorization?

Can you please enable the logs on the concentrator to see what is happening.

Some logs that would help AUTH, AUTHDBG, IKE, IKEDBG, IPSEC, IPSECDBG - severity 1-13.

Cheers

Gilbert

New Member

Re: VPN 3005 integrated auth with ACS and RSA Server

Hi Gilbert. The Vpn Concentrator has enabled authentication and authorization.

All is integrated using CiscoSecure ACS Release 3.3(2) Build 2 and RSA Authentication Manager 6.1.1.

About the logs, is attached:

Cisco Employee

Re: VPN 3005 integrated auth with ACS and RSA Server

Pablo,

When you use RADIUS authentication on the concentrator, the ACS server will automatically send all the user attributes to the concentrator for the user that is connecting. There is no need to have Authorization to be configured on the RADIUS server.

According to the logs, seems like the IP pool is the problem.

Group [GroupP] User [tuser] Obtained IP addr (192.168.32.128) prior to initiating Mode Cfg (XAuth enabled)

Group [GroupP] User [tuser] Sending subnet mask (255.255.255.224) to remote client

Group [GroupP] User [tuser] Attempted to assign network or broadcast IP address, removing (192.168.32.128) from pool

After this, I see the client negotiation again and the client gets connected.

So, the IP address is removed from the pool. Please make sure you configure a pool that doesnt have any broadcast IP address.

Thanks

Gilbert

Rate it, if this post helps.

New Member

Re: VPN 3005 integrated auth with ACS and RSA Server

Gilbert, that was the problem.

I changed the pool settings at the concentrator and at the the following attempt was successful

Pablo

158
Views
0
Helpful
4
Replies