General discussion

Locked

Using Win. Group Policies w/Cisco 3000

By brooks@intellinet-comptng ·
I have a Cisco 3000 VPN concentrator which supports NT Domain and RADIUS authentication for groups and users. I have implemented domain and group authentication i the past, but am having trouble doing it this time around. It has been a few years and the software (Windows and Cisco) have changed slightly. I am having trouble getting the RADIUS authentication for groups working with the group policies. The group policy should check to see if the user is part of a security group to allow or deny access to the network.

I have not contacted the Cisco TAC yet because we have had problems getting the maintenance purchased with the unit linked to my CCO account.

This conversation is currently closed to new comments.

5 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by GDoC In reply to Using Win. Group Policies ...

You never stated what version of MS Win authentication you are using, or if the VPN30xx whas a member of the DNS domain. This may be the only issue, or you may be having other LDAP related issues, or the implementation of RADIUS on W2K3?
I've used direct to LDAP Windows support as well as a separate RADIUS support of AAA.
Both still function.
You'll need to do some log analysis on the VPN30xx to find the causial factor....with that we can go further.

I know the problem with vendors retaining the Maintenence registrations, and it sucks. You should be able to have your vendor set you up under their account. Or you can request a transference (a pain but sometimes worth it) of the device registration from them to you. Cisco will work with you, but will require a lot of documentation, and some legal paperwork.

Collapse -

Follow up: The authentication server is a Windows 2003 server running IAS. It is a domain controller and DNS server. DNS servers are defined on the VPN 3005.

Collapse -

by georgeou In reply to Using Win. Group Policies ...

Cisco VPN concentrators have a bug with Windows 2003. The "solution" from Cisco a few months ago when I was on support was to use RADIUS. I use Microsoft IAS on Win2003 and it's beautiful. It integrates in to AD and I can even use IAS to spit out a custom RADIUS attribute to get the concentrator to assign the VPN group based on the Active Directory group.

Collapse -

by georgeou In reply to

Forgot to say that the bug was with Windows 2003 LDAP mode. There is no fix for it and you have to use RADIUS though it works better.

Collapse -

by billanh In reply to

Have a cisco 3015 vpn try to conf. it to authenticate with IAS Win2003 server. On3015, i conf. group name abc and a user name bill. it works fine using bill (because it authenticate locally) but when i tried to use a "abc" it does not works, what did i do wrong?
i should be able to telnet to port 1645 on the IAS server right? I'm not able to may be that the problem
thanks in advance.

Back to Security Forum
5 total posts (Page 1 of 1)  

Security Forums