Re: User Login for VPN Client to Concentrator with Cert

chan-kuen.hui · ‎03-31-2005

Dear All,

I use Concentrator 3030 and VPN Clinet 3.6.6A. I have configured a Microsoft CA Server. The Concentraor and VPN Clinet has certificate imported.

When I connect to concentrator from client, the connection success immediately. But there is no user login pormpt for username and password.

Where can I enable the user login for this?

Thanks.

mhussein · ‎04-01-2005

Hello,

Is the "group" configuration similar to this example?:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00800946f3.shtml

Is the user part of this group?

HTH,

Mustafa

chan-kuen.hui · ‎04-01-2005

Yes, the user is part of the group.

My config is similar except "Configuration > User Management > Groups; under the IPSec Tab, when I config the authentication to Internal, the connection failed. When I use None, the connection is ok without user login prompt.

Any mis-configuration?

Thanks.

mpetcu · ‎04-02-2005

Hi,

You should try to look under "Configuration | Policy Management | Certificate Group Matching | Rules" in order to "map" some of your certificate's attributes to the group you defined. Place the user in this group and you'll see that a screen "username|password" appears on the VPN client side.

You should try to use the Monitoring | Live Filter Log for very comprehensive messages on what happens during "handshaking" procedure between VPN client and VPN Concentrator.

Let me know if I can help you further.

TIA,

Mihai

obrenes · ‎04-20-2005

Hi,

Do you have XAUTH enabled?

Under

Configuration | Tunneling and Security | IPSec | IKE Proposals | Modify

you should have enabled an "Authentication Mode" that supports eXtended authentication.

For example, Cisco Documentation says:

RSA Digital Certificate (XAUTH) = Use a digital certificate with keys generated by the RSA algorithm. Require user-based authentication via XAUTH.

Hope that helps.