cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1726
Views
0
Helpful
1
Replies

VPN3000 Authentication: Group Delimiter function ??

engel
Level 2
Level 2

Dear All,

Here is my test result regarding group delimiter:

Settings as follow:

1. Checked "enable group lookup" at System->General->Authentication

Group delimiter "@" selected.

2. Checked "Strip Realm" at Groups-> General setting (group name is testgroup)

3. Set Group-> Ipsec-Authentication to "SDI" so that the user authentication will be done by an external ACE/Server

4. create a user named "testuser" at the ACE/Server.

At VPN Remote Client, I entered the following at each tests:

Test 1 :

Group : "testgroup" , User: "testuser"

Result: No problem on authentication.

Test 2:

Group: "testgroup" , User: "testuser@testgroup"

Result: No problem on authentication

Test 3:

Group: "testgroup" , User: "testuser@whatevergroup"

Result: User can not authenticate

Question:

From Test 1 and Test 2 `s result , a user that is not using an "@" and, a user that is using an "@" delimiter will authenticat just fine. How to force a user to use an "@" delimiter , so that a user that is not using "@" delimiter will be rejected ?

Appreciate for any help

Regards,

1 Reply 1

r-simpson
Level 3
Level 3

According to the following link http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/3_5/config/usermgt.htm it shows the "Strip Realm" as being needed if the server is unable to parse delimeters. So you might want to try it without the Strip Realm.