Re: VPN3030 authentication to ACS Radius

jofleming · ‎01-10-2005

I have a new ACS server 3.3. I am running older code on my 3030 concentrator 3.5.3.A. I have defined the new Radius server to the concentrator as a global server. When I use the "test" function I get the message: Authentication failure. No active server found.

A sniffer capture on the concentrator shows no packets sent to the ACS server from the concentrator

Thanks.

gfullage · ‎01-10-2005

Only thing I can think of that would cause that is that the Radius server is on the Public interface of the concentrator, and the default Public filter is blocking it from sending Radius packets. If the Radius server is on the inside then you should have the "Private (default)" filter applied which is a "permit any" type filter with no restrictions.

jofleming · ‎01-11-2005

Thanks for the reply.

I double checked - the ACS server is definitely accessed through the the private interface. Ping works.

The private interface has the Private(Default) filter applied. This filter contains a couple of rules allowing VCA but also contain Any In(forward/in) and Any Out(forward/out).

I just do not see any packets generated to the ACS destination address, unless I perform a ping.

Thanks,

Joe

btrice · ‎01-28-2005

I had a similar incident when I upgraded to ACS 3.3 and running vpn3000-4.1.2.Rel-k9.bin on my concentrators. Once I verified the RADIUS Server secret, i still had problems. I rebooted the VPN concentrator and everything started working.