Re: VPN Radius ACS Authentication passes Authorization fails

bwerst · ‎09-07-2004

VPN 3000 Conc Release 4.1.5 attempting to authorize client sessions against Radius CiscoSecure ACS v3.2. Authentication succeeds, but Authorization fails.

ACS Failed attempts log shows "External DB user invalid or bad password".

When attempting the VPN client connection the ACS Passed Authentications will show a successful connection and then show the above failure in the Failed attempts log for authorization.

Users group has been granted rights to network device group with level 15 access. TACACS+ for that user works fine with all of the other network devices.

I tried running CSRadius from the command-line to get more detailed debbugging information, but that didn't help either.

Any thoughts?

blackey · ‎09-13-2004

Are you using an external DB to Auth and Authorize users? Or using ID's in the internal ACS database? If using Internal ID's make sure the settings in the Advanced TACACS+ Settings in the userid section match this. It might be looking for an external DB check there. Also it might not be set to use the group level setting in the Advanced section.

bwerst · ‎09-13-2004

Thanks for the input. I wound up opening support case. Turns out to be a misunderstanding of the option 'none' for authorization on the IPSec tab. I thought that meant there would be no authorization period. Turns out it just means no external authorization and that the local group configuration would do the authorization.

I needed to validate users so I'm doing the authentication via RADIUS/Windows Database, but I don't want to deal with getting all of the radius pairs correct in ACS for authorization when it will work just as well using the groups in VPN concentrator.

Personally I think they should change the label of option 'none' to 'no external'.

Bill