VPN 3000 , Domain Controller, ACS
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: VPN 3000 , Domain Controller, ACS

  1. #1
    Senior Member
    Join Date
    Dec 2004
    Posts
    139

    VPN 3000 , Domain Controller, ACS

    I have got this scenario, Backup Domain Controller resides within my LAN, cisco secure ACS (uses RADUIS protocol) resides within my LAN as well.

    ACS configuration
    --------------------
    As you can see (Top figure) that VPN server -192.168.5.254- (concentrator 3000) was configured to be authenticated by ACS -192.168.5.50-.


    VPN 3000 Configuration
    ---------------------------
    In the bottom figure VPN server was pointed to "Server Type" as: RADUIS , and "server authentication" is : 192.168.2.11 (Backup Domain Controller ) ? Why has it not been pointed to Cisco Secure ACS 192.168.5.50 ?

    http://img105.imageshack.us/img105/8...aduisdcrn6.jpg

    VPN 3000 and Cisco Secure ACS both of them are connected to cisco core switch 4000,,,,,,,,default gateway should be switch.

    VPN 3000 and Cisco Secure ACS both of them are running in parallel (i.e not behind not infront)

  2. #2
    Senior Member
    Join Date
    Dec 2004
    Posts
    139
    Any idea ?

  3. #3
    Shrekkie Reloaded Raiden's Avatar
    Join Date
    Oct 2005
    Posts
    1,115
    Was the 192.168.2.11 already configured ? If so, does the ACS have multiple interfaces ? Does any aaa from the concentrator ? If so, then you just might have to change the authentication server ip to 192.168.5.50, but be careful if its an operational concentrator. Changing the aaa-server might give problems. Anyway I'd sort out what for device 192.168.2.11 is.

    If I understand your problem correctly, you have added the concentrator in the ACS and don't understand why the 192.168.2.11 is in the Concentrator config ? Please clarify your problem a bit.

  4. #4
    Shadow Programmer mmelby's Avatar
    Join Date
    Jul 2002
    Location
    Ft. Myers, FL
    Posts
    291
    We are doing almost exactly the same thing you are... You have not really provided enough information.

    A couple of things come to mind:

    The timeout setting on the VPN concentrator is a little short for Radius authentication. Ours is set to 20 (instead of 4)

    Have you tested the authentication process from the ACS box to AD?

    What do the logs (under Reports and Activity) indicate when you attempt an authentication?

    On the VPN concentrator you have the option to test the radius authentication. Have you done this? What do the logs say?


    Hopefully this points you in the right direction.
    Last edited by mmelby; January 31st, 2007 at 10:14 PM.
    Work... Some days it's just not worth chewing through the restraints...

  5. #5
    Senior Member
    Join Date
    Dec 2004
    Posts
    139

    Post

    Was the 192.168.2.11 already configured ?
    Yes. as you see here :
    http://img405.imageshack.us/img405/6...rraduiscj1.jpg

    does the ACS have multiple interfaces
    No

    Does any aaa from the concentrator ?
    I will check that

    If I understand your problem correctly, you have added the concentrator in the ACS
    No, I have not done anything , the configuration was there and network was setup by someone else, I am just try to study the design

    don't understand why the 192.168.2.11 is in the Concentrator config
    I try to figure out why 192.168.2.11 was there.

    Please clarify your problem a bit.
    Hopefully I have clarified all the ambiguities

  6. #6
    Senior Member
    Join Date
    Dec 2004
    Posts
    139
    You have not really provided enough information.
    I will be glad to provide any information

    The timeout setting on the VPN concentrator is a little short for Radius authentication. Ours is set to 20 (instead of 4)
    I will study that.

    1- Have you tested the authentication process from the ACS box to AD?
    2- What do the logs (under Reports and Activity) indicate when you attempt an authentication?
    i will check that and let you know

    On the VPN concentrator you have the option to test the radius authentication. Have you done this? What do the logs say?
    No. I have not done that yet.

    Hopefully this points you in the right direction.
    Great , I will do all the test and post the output if there are any.

  7. #7
    Senior Member
    Join Date
    Dec 2004
    Posts
    139
    On the VPN concentrator you have the option to test the radius authentication. Have you done this?
    I followed step 5 in the link below:
    http://www.cisco.com/en/US/products/...80094a03.shtml


    But I received the below error message :
    http://img247.imageshack.us/img247/4...gintestkl1.jpg

    At work (not remotely) I tried to test VPN , by entering my Active Directory's username and password but I received the error message in the link above, thought with same username and password I can access the VPN from remote area.
    Last edited by zillah; February 4th, 2007 at 08:56 AM.

  8. #8
    Senior Member
    Join Date
    Dec 2004
    Posts
    139
    2- What do the logs (under Reports and Activity) indicate when you attempt an authentication?
    When I checked the Cisco Secure ACS --> Reports and Activity --> Failed Attempts,,,,,,,Nothing was written to these reports.Doesn't that mean that ACS is not used ?

  9. #9
    Shadow Programmer mmelby's Avatar
    Join Date
    Jul 2002
    Location
    Ft. Myers, FL
    Posts
    291
    Quote Originally Posted by zillah
    When I checked the Cisco Secure ACS --> Reports and Activity --> Failed Attempts,,,,,,,Nothing was written to these reports.Doesn't that mean that ACS is not used ?
    If you are not getting anything under Failed Attempts that would indicate that ACS is not being used for authentication.

    In the VPN concentrator under Configuration--> System --> Servers --> Authentication. You should have a server identified as your Radius server. It should look something like

    192.168.2.2 (Radius/User Authentication)

    If you select that server and press the Test button to test the authentication what is returned in the test?
    Work... Some days it's just not worth chewing through the restraints...

  10. #10
    Senior Member
    Join Date
    Dec 2004
    Posts
    139
    If you select that server and press the Test button to test the authentication what is returned in the test?
    The answer would be :
    But I received the below error message :
    http://img247.imageshack.us/img247/4...gintestkl1.jpg

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •