I am attempting to get Individual User Authentication (IUA) working on a VPN3002 hardware client (client and concentrator at 3.6.1). The user details are stored on a CSACS server (2.6(1)). The static user name/password for the initial tunnel authentication (as stored on the VPN3002) are also stored in the CSACS user database. The user names used for IUA are CSACS users which are defined as SDI Token card users. These users can successfully authenticate with the VPN Concentrator when using the VPN software client.

The tunnel between the VPN3002 and the Concentrator is established successfully, but the IUA is failing. The following entries are displayed in the log file:

5967 09/18/2002 18:14:52.740 SEV=3 AUTH/5 RPT=91 195.X.X.X

Authentication rejected: Reason = User was not found

handle = 472, server = Internal, user = test.user, domain = <not specified>

5969 09/18/2002 18:14:52.740 SEV=5 AUTH/48 RPT=5

RADIUS Proxy received an auth reject for hw client 10.99.200.1

5970 09/18/2002 18:14:52.740 SEV=5 AUTH/48 RPT=6

RADIUS Proxy received an auth reject for hw client 10.99.200.1

The documentation suggests that IUA queries all the Authentication servers in turn, starting at the top of the list. This explains the three lines above: the user is not found in the internal database, and the two RADIUS (CSACS) servers are then queried in turn, but both are responding with an "authetication reject" error. The IP address 10.99.200.1 is the IP address of the private interface of the VPN3002. What could be causing this? Does anything special need to be configured within CSACS?