Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > VPN 3000 with internal group external RADIUS user auth failing

Reply
Thread Tools

VPN 3000 with internal group external RADIUS user auth failing

 
 
soldara
Guest
Posts: n/a
 
      09-13-2004
What does this mean when RADIUS is configured on a VPN 3000
concentrator?

2 09/13/2004 10:42:12.560 SEV=5 IKEDBG/64 RPT=71 client_ip
IKE Peer included IKE fragmentation capability flags:
Main Mode: True
Aggressive Mode: False

4 09/13/2004 10:42:16.510 SEV=4 IKE/52 RPT=26 client_ip
Group [test] User [test]
User (jdg2004) authenticated.

5 09/13/2004 10:42:16.510 SEV=4 IKE/0 RPT=82 client_ip
Group [test] User [test]
User tunnel rejected: filter name "unlim" does not point to a filter!

7 09/13/2004 10:42:16.510 SEV=5 IKE/50 RPT=26 client_ip
Group [test] User [test]
Connection terminated for peer test.
Reason: Peer Terminate, Disconnected by Administrator.
Remote Proxy N/A, Local Proxy N/A


I am able to test successfully the setup of the RADIUS server from the
concentrator. Group test is internally configured on the 3030. I am
running latest client and concentrator code. 4.1.6

Any ideas?
 
Reply With Quote
 
 
 
 
soldara
Guest
Posts: n/a
 
      09-13-2004
Well just in case the TAC engineers ever read this and decide to close
my case....

Here is the answer:

It appears that there is in the implementation of Interlink's RAD
server (atleast in early versions like 6.0) a DEFAULT entry in the
user file which includes a Filter-Id = "unlim". Even if non of your
users use this Filter it will be passed back with each query because
it is listed in the config and MUST be deleted or commented out if not
being used. When the RAD server passes this piece to the concentrator
even though the user has been authenticated, there is no filter
configured on the concentrator to match "unlim" and since it is being
passed to the concentrator the 3030 believes that you are attempting
to configure (not groups which would have been my first guess) but
traffic management filters. Sooo, the fix is either:

1) Delete the Filter-Id = "unlim" from the users config on the RAD
server
2) Create a filter by Configuration --> Policy Management --> Traffic
Management --> Filters and adding a filter named unlim and contains
the rules you would like applied to this tunnel. Ensure that you have
this group configured for that filter as well.

Interlink does reccomend to delete Filter-Id = unlim from the config
if possible. Since we have others using the RAD server and I am not
sure who may have built a workaround for their own implementaiton
problems in our enterprise I am going to leave it.

Anyway......

I hope this helps anyone else who may run into this problem. I took a
little while to find the answer until I called Interlink who gave me
the resolution in 5 minutes. Unfortunately it is taking Cisco TAC
about 15+ hours at this point and I hate to say it, this has been my
worst interaction with Cisco TAC. My engineer doesnt want to help
troubleshoot, he tells me that no one at cisco (that he has spoken to
so far) knows what the error means. I would think that this would be
a documented feature and would be easy to figure out that I must be
attempting to use the filter atleast incorrectly. I was instead told
that my radius server is broken and that he needs more time to
research. Well I hope he reads google groups


Thanks to all!



http://www.velocityreviews.com/forums/(E-Mail Removed) (soldara) wrote in message news:<(E-Mail Removed). com>...
> What does this mean when RADIUS is configured on a VPN 3000
> concentrator?
>
> 2 09/13/2004 10:42:12.560 SEV=5 IKEDBG/64 RPT=71 client_ip
> IKE Peer included IKE fragmentation capability flags:
> Main Mode: True
> Aggressive Mode: False
>
> 4 09/13/2004 10:42:16.510 SEV=4 IKE/52 RPT=26 client_ip
> Group [test] User [test]
> User (jdg2004) authenticated.
>
> 5 09/13/2004 10:42:16.510 SEV=4 IKE/0 RPT=82 client_ip
> Group [test] User [test]
> User tunnel rejected: filter name "unlim" does not point to a filter!
>
> 7 09/13/2004 10:42:16.510 SEV=5 IKE/50 RPT=26 client_ip
> Group [test] User [test]
> Connection terminated for peer test.
> Reason: Peer Terminate, Disconnected by Administrator.
> Remote Proxy N/A, Local Proxy N/A
>
>
> I am able to test successfully the setup of the RADIUS server from the
> concentrator. Group test is internally configured on the 3030. I am
> running latest client and concentrator code. 4.1.6
>
> Any ideas?

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
VPN and RADIUS auth astrosky Hardware 0 12-11-2008 09:59 PM
VPN Concentrator 3000 RADIUS issue. error = -9 ("ENOBUFS") Guyster Cisco 6 10-22-2007 12:20 PM
Cisco VPN Client(4.8.01.0300) + Router(C1812) + Radius Auth(MS IAS) ahab.captain@gmail.com Cisco 0 08-17-2007 10:11 AM
Vpn 3000 --> WebSSL & Radius Damien Cisco 1 02-24-2004 07:14 PM
Conc.VPN 3000 + user certificates + radius Christophe Cisco 0 01-18-2004 08:20 PM



Advertisments