Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
535
Views
0
Helpful
3
Replies

Individual User Authentication from behind 3002

per_2
Level 1
Level 1

‎01-08-2007 09:02 AM - edited ‎02-21-2020 10:17 AM

Do users behind a remote 3002 use the Base Group definition for Authentication Server choices? I have the Group defined as "Internal" to represent the user defined on the 3002, but I'm not sure where the users behind the 3002 are authenticating.

Any help will be greatly appreciated.

Thank you,

Per

Labels:
0 Helpful
3 Replies 3

5220
Level 4
Level 4

‎01-08-2007 09:23 AM

Hi,

3002 can authenticate itself to the concentrator (no tokens, static password) or let users authenticate (they need to open a www to anything passing the client and the 3002 intercepts this and prompts for the password, that can use tokens).

To enable user authentication:

First, on Concentrator, under HW client tab, check: require individual user auth AND require interactive HW authentication.

This way the "user" of the 3002 client will not be used, but instead the info provided by the user.

The group's General -> Auth field specifies if the user is on the local database or on a radius server, SDI server and so on.

Please rate if this helped.

Also check http://cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a0080094297.shtml

Regards,

Daniel

0 Helpful

per_2
Level 1
Level 1
In response to 5220

‎01-08-2007 10:01 AM

Thanks for the quick reply, Daniel. I have some clarifying questions, if you don't mind.

First, I am not requiring interactive hardware authentication as I thought that would require a user's intervention to connect the 3002 to the concentrator. That is not my intention - I want the 3002 to automatically connect, but require the users behind it to authenticate prior to passing traffic through the tunnel.

For adding the Group's General Auth setting, I currently have it set for "Internal" as the 3002 user is defined on the 3030.

I currently have the Authentication Server for the GROUP defined as our Domain Controllers internally and the auth type is NT. I am moving authentication over to an IAS server doing RADIUS server. Given that I have this server defined at the System Servers level, my impression is that I can delete the Auth servers on the Group. My guess is that the users behind the 3002 will drop down to the Base Group where the Radius server is defined and all will be fine.

Am I correct in this assumption? My concern is that the group's IPSec->Auth field is set to "Internal" and I'm afraid I will break authentication for this group.

0 Helpful

5220
Level 4
Level 4
In response to per_2

‎01-08-2007 11:50 PM

Hi,

The "requiring interactive hardware authentication" is needed if you use tokens on the users.

!!!!!! The 3002 will use the group name/pass, NOT the Authentication setting (internal, RADIUS and so on).

Now its the matter of authenticating the user (directly configuring the user on 3002 or ask for user authentication as they pass 3002)

As per the link I sent you:

"Users behind the Cisco VPN 3002 Hardware Client who want to send traffic through the VPN tunnel must first perform a user authentication with the use of a web browser. Open a web browser and go to the internal IP address of the Cisco VPN 3002 Hardware Client or to any IP address reachable through the VPN tunnel. "

The Group -> IPSEC -> Authentication if set on internal, the username/pass from the users will be matched with the local users on the concentrator.

Just add RADIUS authentication on the group (Group -> IPSEC -> Authentication), no need to use the base.

Check also: http://cisco.com/en/US/products/hw/vpndevc/ps2284/prod_configuration_examples_list.html#anchor12

Please rate if this helped.

Regards,

Daniel

0 Helpful
Customers Also Viewed These Support Documents