Solved: Internal Authentication Server

Natha340Mai340 · ‎04-19-2011

Hi, this my three time that I post the same problem about authentication in VPN 3000 but until now I haven't had return on neither of the post

maybe those I'm more clear than others.

go ahead....

I have a VPN 3000 with PPTP Tunnel VPN and the first authentication option is on Server Radius:

Configuration > System > Server > Authentication is firstly the Server Radius and after Internal ( Authentication on Base Group Internal )

But, when I configure a user in User Management > User it isn't work. I think that authentication order is firstly Radius and if it don't find the second option is processed which ( this case ) is Internal server. but don't occour the error in log is:

44 04/20/2011 00:00:08.550 SEV=3 AUTH/5 RPT=137 187.55.63.215
Authentication rejected: Reason = Authentication failure
handle = 299, server = (none), user = x1, domain = <not specified>

46 04/20/2011 00:00:08.550 SEV=5 PPP/9 RPT=135 187.55.63.215
User [x1]
disconnected.. failed authentication ( MSCHAP-V2 )

how is the behavior the VPN 3000 when the firstly server ( this case a Radius ) don't be find ?? the second it's processed ??

what I have do to second option to be processed ??

thank.

Jennifer Halim · ‎04-20-2011

You can lock the radius user down into a specific policy as follows:

http://www.cisco.com/en/US/tech/tk59/technologies_configuration_example09186a00800946a2.shtml

Alternatively, you can also assign IP Address from the radius server, by choosing the following option to enable that feature:

http://www.cisco.com/en/US/docs/security/vpn3000/vpn3000_47/configuration/guide/address.html#wp1000336

(enable: Use Address from Authentication server)

Then you will need your radius server to assign ip address to users.

View solution in original post

Jennifer Halim · ‎04-20-2011

Only if the radius server is actually down, or if the VPN Concentrator is not able to reach the radius server, it will then fall back to use the internal authentication.

From the error log, it seems that your radius server is rejecting the user, hence it will never fall back to use the local authentication server because it's the user that is being rejected by the radius server, ie: incorrect authentication, not inability to reach or contact the radius server.

Natha340Mai340 · ‎04-20-2011

Thank Jennifer!

My aim is deploy an security policy ( some users don't accesses some inside network servers) on VPN 3000 so I've thought to use the internal authentication to handle the policy. for exemplo, I wish reserve a IP address always for the same user and I'm not find how reach this with Radius authentication. with internal server is very ease.

it's possible to reserve one ip address always for the same user using Radius ?