VPN 3000 , Domain Controller, ACS

zillah · 27 Dec 2006 at 05:29

I have got this scenario, Backup Domain Controller resides within my LAN, cisco secure ACS (uses RADUIS protocol) resides within my LAN as well.

ACS configuration
--------------------
As you can see (Top figure) that VPN server -192.168.5.254- (concentrator 3000) was configured to be authenticated by ACS -192.168.5.50-.

VPN 3000 Configuration
---------------------------
In the bottom figure VPN server was pointed to "Server Type" as: RADUIS , and "server authentication" is : 192.168.2.11 (Backup Domain Controller ) ? Why has it not been pointed to Cisco Secure ACS 192.168.5.50 ?

http://img105.imageshack.us/img105/8886/vpnraduisdcrn6.jpg

VPN 3000 and Cisco Secure ACS both of them are connected to cisco core switch 4000,,,,,,,,default gateway should be switch.

VPN 3000 and Cisco Secure ACS both of them are running in parallel (i.e not behind not infront)

bitslice · 27 Dec 2006 at 05:54

(just guessing, ...I should be sleeping really)

is 192.168.2.11 already running another RADIUS service ?

.

zillah · 27 Dec 2006 at 07:49

(just guessing, ...I should be sleeping really)

hhhh, have a nice sleep

is 192.168.2.11 already running another RADIUS service ?

No.

Edit:
Yes. It is running microsoft IAS or RADUIS, as you can see in the link below. http://img405.imageshack.us/img405/...orraduiscj1.jpg

zillah · 30 Jan 2007 at 21:30

Can I ponit the VPN to ACS, and in turn ACS will be pointed to AD ? Is there any advantage for doing that ?

Regards
http://img405.imageshack.us/img405/6386/iasorraduiscj1.jpg

bitslice · 2 Feb 2007 at 12:29

(one month later)

zillah said:
No.

Edit:
Yes. ....

LOL

well that explains why it's working at least

-----
ACS apears to use AD

section: (Windows Authentication from a Member Server)
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacsapp/raig/rawi.htm

that bit seems to cover it ? ...I've not read it all though

if I had a Cisco VPN, and had the option to use Cisco ACS to secure it,
then I probably would try and get it working.

.

zillah · 4 Feb 2007 at 08:05

well that explains why it's working at least

I tired to follow the instrcutions in step 5 in the link below :
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a0080094a03.shtml

But I received the below error message :
http://img247.imageshack.us/img247/4973/errorvpnmylogintestkl1.jpg

At work (not remotely) I tried to test VPN , by entering my Active Directory's username and password but I received the error message in the link above, thought with same username and password I can access the VPN from remote area.

bitslice · 4 Feb 2007 at 20:11

does it give any more error info in
"Reports and Activity > Failed Attempts"
?

.

zillah · 5 Feb 2007 at 04:09

does it give any more error info in
"Reports and Activity > Failed Attempts"

Nothing was written to these reports.

bitslice · 6 Feb 2007 at 12:06

no ideas at the moment,
but while looking for other stuff, I found this...

freebie book sample chapter:
Troubleshoot Cisco Secure Access Control Server (CS ACS) on Windows
http://downloads.techrepublic.com.com/download.aspx?docid=172256

maybe worth a look ?

.

zillah · 6 Feb 2007 at 12:15

(just guessing, ...I should be sleeping really)

is 192.168.2.11 already running another RADIUS service ?

Nothing was written to these reports.

Yes , because ACS was not used, and i confirmed that by checking AD server --> Administrative Tools --> Internet Authentication Service --> RADIUS Clients --> I found IP address for the VPN concentrator (i.e 192.168.55.254).
One more thing when i checked the AD server --> Administrative Tools --> Event Viewer --> I found message from VPN concentrator

But I received the below error message :
http://img247.imageshack.us/img247/4973/errorvpnmylogintestkl1.jpg

No,it is ok, i have got no problem.

bitslice · 6 Feb 2007 at 12:52

zillah said:
One more thing when i checked the AD server --> Administrative Tools --> Event Viewer --> I found message from VPN concentrator.

but that's the error pic from the VPN 3000 ? :confused:

you confused me there (not hard to do...

)
- so, so far :

...cisco secure ACS - sitting there doing (something ?)

...Backup Domain Controller (192.168.2.11 ) running microsoft IAS/RADUIS,
(not sure what is in its event log)

...VPN 3000 is pointing to 192.168.2.11 and that is why it's working OK (in terms of RADIUS) - and in its report section it says nothing

did I understand correctly ?

.