Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
800
Views
5
Helpful
3
Replies

Authentication passing on Cisco ACS but failing on VPN Concentrator.

kirbyellis
Level 1
Level 1

‎05-26-2006 01:52 AM - edited ‎02-21-2020 12:55 AM

G'day All,

I am experiencing a problem where users, within a couple of NT domains, are being authenticated against the Cisco ACS server (RADIUS) then the same users are failing authentication on the VPN Concentrator.

I am currently able to authenticate other NT domain users and AD users through the same ACS/VPN Concentrator pair.

What's going on?

The users that are passing on the ACS and failing on the VPN can be authenticated locally within the domain.

When I try a test authentication against the authentication server configured on the Concentrator, I get the following message returned:

Authentication Error: No response from server

However the user is definately passed on the ACS server.

0 Helpful
3 Replies 3

a.kiprawih
Level 7
Level 7

‎05-27-2006 04:30 AM

Hi Kirby,

The error means "No response from server = There is no response from the selected server within the configured timeout and retry periods".

The server might be improperly configured or out of service, the network might be down or clogged, etc. Check the server configuration parameters, be sure the server is operating, check the network connections, etc

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_guide_chapter09186a00803ee1cf.html#wp1081667

When you need to use ACS to authenticate VPN users,you need to carefully check all required parameters. Sometimes it could due to small error, e.g exta space, wrong secret password and so on.

The 'Test' button is used to verify whether your VPN3K can really talk to ACS.

Since only the authentication is failing between VPN3K and ACS, it was normally due to config parameters which could be missing either in VPN or ACS (mismatch).

Check the following for both VPN3K and ACS:

1. VPN3K

Configuration | System | Servers : Authentication

Under 'Add', check for:

Server type: NT Domain

Server Port: 1645 (default). Can also use UDP 1812.

Server Secret : -> try to re-keyin again, no extra char or space

Verify:

2. ACS - make sure you add VPN3K under 'Network Configuration' as AAA Client. Besides hostname & IP< check other info like authentication server type - RADIUS (Cisco VPN 3000).

Also, make sure both can ping each other.

FYI, authentication server can also be assigned to individual group.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_guide_chapter09186a00803ee1f0.html#wp2396065

Rgds,

AK

kirbyellis
Level 1
Level 1
In response to a.kiprawih

‎05-28-2006 03:30 PM

G'day AK,

that is exactly what I did to resolve the problem.

About minutes after I posted this message, I went back to basics and monitored the athentication process from Monitoring|Statistics|Authentication.

I could see the requests being sent, retried and timing out.

Then I configured a longer timeout value against the server in question, and everything worked.

Cheers, for you input though, if I hadn't worked it out what you had written would have sorted it out.

Cheers, Kirby.

0 Helpful

angelinesr
Level 1
Level 1

‎06-02-2006 08:40 AM

hi ,

when users trying to aithenticate from the concentrator, chnage the authentication parameter for the group to Internal.this u could do by selecting modify button for the group.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card