06-24-2002 07:12 AM - edited 02-21-2020 11:49 AM
I currently have a Cisco ACS 3.0 (Win2k Server). I have defined the vpn box on the ACS to use RADIUS (VPN 3000), clients have no problem establishing tunnels. However, I have been unable to get admins to authenticate via the ACS on the VPN 3000 server. Is there a way to setup both authentication protocols on the ACS or is there another way around this.
06-24-2002 09:12 PM
You already have defined the VPN 3000 as a network access server on ACS using Radius. You can define the same VPN 3000 as a Tacacs client too, on ACS. You just have to give it a different name as ACS doesn't want to have duplicate names for NAS clients (same ip addr, different names). The ACS would know which transactions it is for, since it would be a different protocols and port.
06-25-2002 05:32 AM
Thanks for your help. As per your suggestion, I have defined another name for the vpn box pointing to the same address on the ACS server (and chose TACACS as the authen. protocol). So now I have 2 entries on my ACS for the VPN box (2 different names, same ip, 1 using radius and the other tacacs).
I have also done the following: config the TACACS+ server on the VPN Concentrator under "Administration | Access Rights | AAA Servers | Authentication " and tested...I get "Authentication Rejected".
When I check the "Passed Authen" log on the ACS, I can see my name in there, and the 'Access Device' is listed as the new device that I created above. The NAS Port says 'Public Interface'. So for some reason, I have passed authentication however, I still keep getting the 'authentication rejected' message when trying to get into the concentrator as an admin.
Authentication to my other switches/routers is fine, so I know that the ACS is working properly, just having problems defining the concentrator.
06-25-2002 07:11 PM
Could you check your ACS profile against the sample config on:
http://www.cisco.com/warp/public/471/vpn3k_tacacs.html
It goes through both ACS and VPN 3K side.
06-26-2002 07:43 AM
Thanks a million! The one thing that I was missing was a setting under the Group for Priviledge Level...I didn't check it off and set it to 15. Once this was done, it works. I was looking for a document like this for 3-4days...
Thanks again.
06-24-2002 09:14 PM
Cisco ACS 3.0 default can use RADIUS and TACACS+ in the same time.
For VPN 3000 concentrator, administration only support TACACS+ authentication. Need to config the TACACS+ server in "Administration | Access Rights | AAA Servers | Authentication " and tested it make sure the concentrator can talk to the AAA server correctly.
For the Remote access, as you have done, it only support RADIUS.
You can share the same ACS 3.0 server, just make sure to put remote access users and ADMIN users in different groups.
06-25-2002 05:40 AM
Thanks...This has already been done, please see my other reply.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide