VPN 3000 with internal group external RADIUS user auth failing

Discussion in 'Cisco' started by soldara, Sep 13, 2004.

  1. soldara

    soldara Guest

    What does this mean when RADIUS is configured on a VPN 3000

    2 09/13/2004 10:42:12.560 SEV=5 IKEDBG/64 RPT=71 client_ip
    IKE Peer included IKE fragmentation capability flags:
    Main Mode: True
    Aggressive Mode: False

    4 09/13/2004 10:42:16.510 SEV=4 IKE/52 RPT=26 client_ip
    Group [test] User [test]
    User (jdg2004) authenticated.

    5 09/13/2004 10:42:16.510 SEV=4 IKE/0 RPT=82 client_ip
    Group [test] User [test]
    User tunnel rejected: filter name "unlim" does not point to a filter!

    7 09/13/2004 10:42:16.510 SEV=5 IKE/50 RPT=26 client_ip
    Group [test] User [test]
    Connection terminated for peer test.
    Reason: Peer Terminate, Disconnected by Administrator.
    Remote Proxy N/A, Local Proxy N/A

    I am able to test successfully the setup of the RADIUS server from the
    concentrator. Group test is internally configured on the 3030. I am
    running latest client and concentrator code. 4.1.6

    Any ideas?
    soldara, Sep 13, 2004
    1. Advertisements

  2. soldara

    soldara Guest

    Well just in case the TAC engineers ever read this and decide to close
    my case....

    Here is the answer:

    It appears that there is in the implementation of Interlink's RAD
    server (atleast in early versions like 6.0) a DEFAULT entry in the
    user file which includes a Filter-Id = "unlim". Even if non of your
    users use this Filter it will be passed back with each query because
    it is listed in the config and MUST be deleted or commented out if not
    being used. When the RAD server passes this piece to the concentrator
    even though the user has been authenticated, there is no filter
    configured on the concentrator to match "unlim" and since it is being
    passed to the concentrator the 3030 believes that you are attempting
    to configure (not groups which would have been my first guess) but
    traffic management filters. Sooo, the fix is either:

    1) Delete the Filter-Id = "unlim" from the users config on the RAD
    2) Create a filter by Configuration --> Policy Management --> Traffic
    Management --> Filters and adding a filter named unlim and contains
    the rules you would like applied to this tunnel. Ensure that you have
    this group configured for that filter as well.

    Interlink does reccomend to delete Filter-Id = unlim from the config
    if possible. Since we have others using the RAD server and I am not
    sure who may have built a workaround for their own implementaiton
    problems in our enterprise I am going to leave it.


    I hope this helps anyone else who may run into this problem. I took a
    little while to find the answer until I called Interlink who gave me
    the resolution in 5 minutes. Unfortunately it is taking Cisco TAC
    about 15+ hours at this point and I hate to say it, this has been my
    worst interaction with Cisco TAC. My engineer doesnt want to help
    troubleshoot, he tells me that no one at cisco (that he has spoken to
    so far) knows what the error means. I would think that this would be
    a documented feature and would be easy to figure out that I must be
    attempting to use the filter atleast incorrectly. I was instead told
    that my radius server is broken and that he needs more time to
    research. Well I hope he reads google groups :)

    Thanks to all!

    soldara, Sep 13, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.