VPN 3000 with internal group external RADIUS user auth failing

What does this mean when RADIUS is configured on a VPN 3000
concentrator?

2 09/13/2004 10:42:12.560 SEV=5 IKEDBG/64 RPT=71 client_ip
IKE Peer included IKE fragmentation capability flags:
Main Mode: True
Aggressive Mode: False

4 09/13/2004 10:42:16.510 SEV=4 IKE/52 RPT=26 client_ip
Group [test] User [test]
User (jdg2004) authenticated.

5 09/13/2004 10:42:16.510 SEV=4 IKE/0 RPT=82 client_ip
Group [test] User [test]
User tunnel rejected: filter name "unlim" does not point to a filter!

7 09/13/2004 10:42:16.510 SEV=5 IKE/50 RPT=26 client_ip
Group [test] User [test]
Connection terminated for peer test.
Reason: Peer Terminate, Disconnected by Administrator.
Remote Proxy N/A, Local Proxy N/A


I am able to test successfully the setup of the RADIUS server from the
concentrator. Group test is internally configured on the 3030. I am
running latest client and concentrator code. 4.1.6

Any ideas?

 

Well just in case the TAC engineers ever read this and decide to close
my case....

Here is the answer:

It appears that there is in the implementation of Interlink's RAD
server (atleast in early versions like 6.0) a DEFAULT entry in the
user file which includes a Filter-Id = "unlim". Even if non of your
users use this Filter it will be passed back with each query because
it is listed in the config and MUST be deleted or commented out if not
being used. When the RAD server passes this piece to the concentrator
even though the user has been authenticated, there is no filter
configured on the concentrator to match "unlim" and since it is being
passed to the concentrator the 3030 believes that you are attempting
to configure (not groups which would have been my first guess) but
traffic management filters. Sooo, the fix is either:

1) Delete the Filter-Id = "unlim" from the users config on the RAD
server
2) Create a filter by Configuration --> Policy Management --> Traffic
Management --> Filters and adding a filter named unlim and contains
the rules you would like applied to this tunnel. Ensure that you have
this group configured for that filter as well.

Interlink does reccomend to delete Filter-Id = unlim from the config
if possible. Since we have others using the RAD server and I am not
sure who may have built a workaround for their own implementaiton
problems in our enterprise I am going to leave it.

Anyway......

I hope this helps anyone else who may run into this problem. I took a
little while to find the answer until I called Interlink who gave me
the resolution in 5 minutes. Unfortunately it is taking Cisco TAC
about 15+ hours at this point and I hate to say it, this has been my
worst interaction with Cisco TAC. My engineer doesnt want to help
troubleshoot, he tells me that no one at cisco (that he has spoken to
so far) knows what the error means. I would think that this would be
a documented feature and would be easy to figure out that I must be
attempting to use the filter atleast incorrectly. I was instead told
that my radius server is broken and that he needs more time to
research. Well I hope he reads google groups


Thanks to all!