LDAP ON VPN CONCENTRATOR
I have a vpn 3015, I want my vpn users to be authenticated and authorized to the vpn 3015 throught my Active directory (LDAP).
For Authentication server, I use Kerberos/Active Ritectory Server and it works when I test it.
but for the Authorization Server, I use LDAP server (the same server as the authentication server), with all the parameters like Login DN, Base DN, naming attributes, but when i test it it doesnt work?????why??
Thanks
The VPN Concentrator supports user authorization on an external LDAP or RADIUS server. Before you configure the VPN Concentrator to use an external server, you must configure the server with the correct VPN Concentrator authorization attributes and, from a subset of these attributes, assign specific permissions to individual users. Follow the instructions given here to configure your external server.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_guide_chapter09186a008015ce27.html
Similar Messages
-
Hi,
Trying to setup VPNc 3005 for WebVPN.
The VPNc is configured with NTP server so
the clock is fine. I installed SSL vpn
client and SecureDesktop software onto the VPNc. Create a local account and
group. When I perform https://vpnc/admin.html, I can manage the
VPNc from the external interface so the
certificate is good.
When I do http://vpnc from the same XP Service Pack 2 workstation, it attemped
to install both ssl vpn client and secure desktop onto my winXP, I have admin privilege on the XP machine, then
it tells me that the vpn concentrator
has a server certificate error. I've
attached the screen shot. Anyone know
what it is? Thanks.If you connect to a website that loads content (such as images) from a second, previously unauthenticated server, the content might not be rendered correctly. WebVPN clientless mode does not support websites that require authentication for access to content from secondary servers. When using WebVPN with NAT-T, do not set the NAT-T port to 443. We recommend using port 80 for NAT-T, as firewalls should allow this.
http://www.cisco.com/en/US/docs/security/vpn3000/vpn3000_41/configuration/guide/webvpnap.html
http://www.cisco.com/en/US/docs/security/vpn3000/vpn3000_41/quick/start/gs3mgr.html#wp1302684 -
PIX, ASA or VPN concentrator & dynamic VPN
Hi all,
I need help what to use and how to do next.
What we need is to create remote VPN for many users so that every user is member of more than one group and every group is linked to predefined set of rules, for instance you can access this IPs, ports and so on.
How to do that dynamically? Is it possible to do that with one certificate?
Other question is what to use? ..PIX, ASA, VPN concentrator ?
BR
jlThe PIX and VPNC are both end of sale products now and unless you already have them your only choice is IOS or ASA. Of those two the ASA is the Cisco preffered platform for Remote Access VPNs.
You can map users to groups using Active Directory OUs, let them select a group at logon, have different logon URLs per group etc. However as far as I know this is not possible:
"every user is member of more than one group "
Some links:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008089149d.shtml
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808bd83d.shtml
With remote access IPSEC VPNs you can either define the groups on the ASA or externally on the ACS Server.
Pls. rate if helpful.
Regards
Farrukh -
VPN Concentrator authentication with multiple domains
I have a hub and spoke network where a T1 comes in to the hub site A and there is a frame relay connection going over to the spoke site B. We want to add a VPN concentrator to site A for remote access but site A and site B have their own domains that are independant of one another. Can I set up the VPN Concentrator to authenticate users that belong to site A domain using site A's domain controller and authenticate users the belong to site B domain using site B's domain controller? That way we can use a single VPN concentrator and a single internet connection but keep the authentication seperate.
Thanks in advance for any help.To authenticate users that belong to site A domain using site A's domain controller you should authenticate users the belong to site A domain using site A's domain controller
-
IP Address Assignment on VPN Concentrator through AD
Is it possible to assign an IP address on a per-user basis using Active Directory as your authentication method for a group within the 3000 series VPN Concentrator?
I know this can be done with ACS/RADIUS, but I do not see any documentation on how this can be accomplished using Active Directory as your external authentication server.Sorry for the thread title it should be : "reserver" not reverse.
I have been advised to read the "admin guide"
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a008026f96c.shtml
under the heading below
Assign a Specific IP Address to a User
In order to assign a static IP address for the remote VPN user every time they connect to the VPN 3000 Series Concentrator, choose: Configuration > User Management > Users > Modify ipsecuser2 > identity.
My question i am using production box (to avoid screw up whole system), does it affect if i want to create a specific group and assign specific ip address to a user
On my PIX (VPN running paralled to the PIX, i.e it is not behind nor inforn of the PIX) what I have got these lines of configurations which are related to the VPN concentrator
nat (inside) 1 10.2.2.0 255.255.255.0 0 0,,,,,,,,ip for VPN pool as seen in figure
nat (inside) 1 172.168.1.0 255.255.255.0 0 0,,,,,,,,,not related to VPN
nat (inside) 1 192.168.0.0 255.255.0.0 0 0,,,,,,,,,not related to VPN
global (outside) 1 10.1.1.150-10.1.1.155
global (outside) 1 10.1.1.156
route inside 10.2.2.0 255.255.255.0 192.168.55.254 1,,,,,,,,,,,,,192.168.55.254, is the VPN Ethernet 1 ip address.
http://img204.imageshack.us/img204/7306/vpnpooleu1.jpg
What I am thinking to do, are below (please any comment) :
1- I want to modify the current group (see my VPN figure ) to be from range 10.2.2.1-10.2.2.9 instead of 10.2.2.1-10.2.2.10
2- Create another group called : " mobile_users "
3- Create a user called : " commuter "
4- Assign the user " commuter " to the group " mobile_user "
5- Assign ip address 10..2.2.2 to the user " commuter "
6- In the cisco site that I have posted , it syas: tick option for " User address from Authentication Server ",,,,I do not think this will apply to me ?
again since I am using production box, I have to assure that the modification above does not screw up the whole system -
Hi All,
Our problem is, we have Cisco Works LMS 3.0.1. cannot archieve configuration for cisco 3000 series vpn concentrator.
Any help would be greatly appreciated.
Thanks in advance.
SamirMake sure you have filled out all of the HTTP/HTTPS credential data in DCR for these devices. RME will only use HTTPS to fetch VPN concentrator configurations.
-
ACS with VPN Concentrator : IP address attribution
Hello,
I need to know if it is possible for ACS to attribute an IP address to the VPN Clients connected to a VPN Concentrator, with XAUTH, instead of the VPN Concentrator,and if yes : how can I do, what is the procedure ? With the attribute Framed IP Address ? Does it work ?
Thanks !
Patriceyes it can be done at works very well under the radius attributes uses the:
[014] Login-IP-Host
NAS Specifies
User Specifies
Other
Check other and then add the ip address that you want to assigned -
We have two 3005 concentrators that need to be replaced.
Is there anything equivilant that will allow for creation of groups, Cisco VPN client, web VPN and is reasonably priced?
What do people generally do for a plug in replacement to the 3005 VPN concentrator?What is generally done about the cost?
At the moment, the PIX firewalls are not EOL.
If I replace the firewalls, just because the 3005 is EOL, will be a large expense correct?
Also, at the moment, the firewall is passing through the traffic to the concentrator in a DMZ.
What is the alternative in the ASA appliance?
And, does the ASA allow for the creation of groups for access like the concnetrator does? -
What's replaced the vpn concentrator?
Greenhorn here, I didn't sit any of this up. We have three remote sites, sister institutions, that we share an app with. We house the app. One site has a vpn concentrator setup, the other two are using a point to point leased line. They have each have a router that connects to a single router. They want to replace the leased lines with a vpn concentrator. Doing the digging I see the concentrators are EOL.
So what's used to replace the concentrator today? What's a solution today to move away from the leased lines? These are all cash poor non-profits. My guess is they'll say look on Ebay for a concentrator if the solution is too pricey.
Thanks JimSorry it took so long but here's the output from sh version.
Location 1
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-I-M), Version 12.2(16a), RELEASE SOFTWARE (fc2)
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Fri 18-Apr-03 19:25 by xxxxx
Image text-base: 0x8000808C, data-base: 0x80A0EE84
ROM: System Bootstrap, Version 12.2(10r)1, RELEASE SOFTWARE (fc1)
xxxxxxxxx uptime is 41 weeks, 3 days, 20 hours, 54 minutes
System returned to ROM by power-on
System image file is "flash:c2600-i-mz.122-16a.bin"
cisco 2621 (MPC860) processor (revision 0x00) with 27648K/5120K bytes of memory.
Processor board ID JAD07070EVT (2982455740)
M860 processor: part number 5, mask 2
Bridging software.
X.25 software, Version 3.0.0.
2 FastEthernet/IEEE 802.3 interface(s)
2 Serial network interface(s)
32K bytes of non-volatile configuration memory.
8192K bytes of processor board System flash (Read/Write)
Configuration register is 0x2102
Location 2
Cisco Internetwork Operating System Software
IOS (tm) C1700 Software (C1700-SY-M), Version 12.2(11)T6, RELEASE SOFTWARE (fc1)
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Fri 14-Feb-03 14:34 by ccai
Image text-base: 0x80008124, data-base: 0x80A94064
ROM: System Bootstrap, Version 12.2(7r)XM1, RELEASE SOFTWARE (fc1)
xxxxxxxxxxx uptime is 14 weeks, 14 hours, 22 minutes
System returned to ROM by power-on
System image file is "flash:c1700-sy-mz.122-11.T6.bin"
cisco 1721 (MPC860P) processor (revision 0x100) with 44237K/4915K bytes of memory.
Processor board ID FOC0708028N (496857573), with hardware revision 0000
MPC860P processor: part number 5, mask 2
Bridging software.
X.25 software, Version 3.0.0.
1 FastEthernet/IEEE 802.3 interface(s)
1 Serial network interface(s)
WIC T1-DSU
32K bytes of non-volatile configuration memory.
16384K bytes of processor board System flash (Read/Write)
Configuration register is 0x2102
Location 3
Cisco Internetwork Operating System Software
IOS (tm) C1700 Software (C1700-SY-M), Version 12.2(11)T6, RELEASE SOFTWARE (fc1)
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Fri 14-Feb-03 14:34 by ccai
Image text-base: 0x80008124, data-base: 0x80A94064
ROM: System Bootstrap, Version 12.2(7r)XM1, RELEASE SOFTWARE (fc1)
Xxxxxxxxx uptime is 13 weeks, 6 days, 5 minutes
System returned to ROM by reload
System image file is "flash:c1700-sy-mz.122-11.T6.bin"
cisco 1721 (MPC860P) processor (revision 0x100) with 44237K/4915K bytes of memory.
Processor board ID FOC0707142M (1927840357), with hardware revision 0000
MPC860P processor: part number 5, mask 2
Bridging software.
X.25 software, Version 3.0.0.
1 FastEthernet/IEEE 802.3 interface(s)
1 Serial network interface(s)
WIC T1-DSU
32K bytes of non-volatile configuration memory.
16384K bytes of processor board System flash (Read/Write)
Configuration register is 0x2102
Location 4
Cisco IOS Software, 2800 Software (C2800NM-ADVSECURITYK9-M), Version 12.4(3g), RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Mon 06-Nov-06 02:36 by alnguyen
ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)
xxxxxxxxxx uptime is 40 weeks, 5 days, 6 hours, 22 minutes
System returned to ROM by reload at 13:34:01 UTC Thu Dec 27 2012
System image file is "flash:c2800nm-advsecurityk9-mz.124-3g.bin"
This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to [email protected].
Cisco 2811 (revision 53.50) with 249856K/12288K bytes of memory.
Processor board ID FTX1051A01V
2 FastEthernet interfaces
2 Serial interfaces
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
62720K bytes of ATA CompactFlash (Read/Write)
Configuration register is 0x2102 -
Routing loop when tracing to remote ip address on vpn concentrator
When I try and ping a remote address on my vpn 3000 concentrator I get ttl exceded. When I try and tracert from my workstation to the remote address on my vpn 3000 I see a loop.
Tracing route to x.3.17.145
over a maximum of 30 hops:
1 29 ms 31 ms 28 ms 172.4.0.20
2 32 ms 30 ms 29 ms 172.4.0.25
3 38 ms 29 ms 31 ms 172.3.0.21
4 33 ms 30 ms 32 ms 172.4.0.25
5 32 ms 49 ms 27 ms 172.3.0.21
6 35 ms 30 ms 38 ms 172.4.0.25
7 31 ms 28 ms 28 ms 172.3.0.21
8 28 ms 28 ms 42 ms 172.4.0.25
9 38 ms 27 ms 32 ms 172.3.0.21
10 35 ms 28 ms 36 ms 172.4.0.25
11 35 ms 27 ms 28 ms 172.3.0.21
12 30 ms 28 ms 28 ms 172.4.0.25
13 39 ms 30 ms 43 ms 172.3.0.21
14 48 ms 28 ms 29 ms 172.4.0.25
15 36 ms 28 ms 34 ms 172.3.0.21
16 39 ms 39 ms 56 ms 172.4.0.25
17 42 ms 38 ms 47 ms 172.3.0.21
18 35 ms 39 ms 41 ms 172.4.0.25
19 49 ms 32 ms 29 ms 172.3.0.21
20 32 ms 28 ms 29 ms 172.4.0.25
21 28 ms 43 ms 30 ms 172.3.0.21
22 37 ms 32 ms 34 ms 172.4.0.25
23 29 ms 31 ms 32 ms 172.3.0.21
24 29 ms 33 ms 31 ms 172.4.0.25
25 32 ms 41 ms 43 ms 172.3.0.21
26 43 ms 29 ms 39 ms 172.4.0.25
27 47 ms 33 ms 31 ms 172.3.0.21
28 37 ms 29 ms 35 ms 172.4.0.25
29 44 ms 30 ms 91 ms 172.3.0.21
30 31 ms 41 ms 50 ms 172.4.0.25
172.3.0.21 is my private interface on the vpn 3000.
172.4.0.20 is my public interface on the vpn 3000.
172.4.0.25 is the default gateway / router interface on my router.
interface GigabitEthernet1/1/0.1
description connected to LAN
encapsulation dot1Q 1 native
ip address 10.3.0.25 255.255.255.0
interface GigabitEthernet0/0.4
description vpn 3000 concentratorconnection
encapsulation dot1Q 4
ip address 10.4.0.25 255.255.255.0
172.3.0.21 has a no default gateway on the vpn conentrator.
172.3.0.21 has a default gateway 172.4.0.25 on the vpn concentrator.Hi John
could you clarify where you are pinging from and where you are pinging to please?
From the LAN to a destination across a VPN tunnel?
Or from a source across the VPN tunnel to a host on the concentrator's LAN?
Or from a source across the VPN tunnel to a host on the Internet?
I suppose your last line has a typo, it should be
172.4.0.21 has a default gateway 172.4.0.25 on the vpn concentrator.
right?
Apart from the default gateway are there any other static routes configured on the vpn3k and the router? No dynamic routing protocol?
tnx
Herbert -
Setup Sunray 3G with Cisco 3005 VPN concentrator
hi,
I first explain the setup situation:
Gobi8 (3G) => Cisco 3005 VPN Concentrator => Sunray Server (4 09/07)
Do i need to setup a sunray segment for not-directly connected networks or do i need to setup one for directly connected networks?
can the Sunray server gives IP-addresses to the Gobi8 trough a VPN-tunnel or do i need to let the Cisco handle the IP-address management?
Is there some info about what IKE proposal i need to select in the Cisco 3005?
Any help would be appreciated
ThxI have not used the Gobi 8 but this is how I configure my SR 2, SR 2FS, and SR 270 for VPN, I believe the Gobi can do similiar things. You will need to setup your SR server as part of a shared network, NOT a dedicated network. Configure your concentrator as an Easy VPN server and the Gobi as an Easy VPN client. Using the Easy VPN setup automatically handles IKE though you will have to setup groups etc. Since my DTUs move around I use DHCP so the initial IP address comes from the local network, as part of connecting to the remote network the concentrator will issue an IP address for SR server network. This has worked for me on wired and WiFi LANs, I do not know if it will work with 3G wireless but I do not see why it should not. Hope this helps and good luck.
-
Hi, I have run into a problem with my VPN concentrator. I was setting up AAA on it this morning and after configuring it ,I cannot get back into the web interface. It is version 2.21 running on the concentrator. I cannot get a console session, nothing appears when I use the settings 9600, 8, 0, 1, Hardware. I can see the authentication is working on the ACS Logs but I am getting invalid login on the VPN Concentrator. Is there anything I can do at this point?
Was using the wrong type cable to console into the Concentrator. Done a password reset from the console and that allowed me back in.
Cheers
Brian -
Cisco 3005 vpn concentrator console cable
hi
i have just purchased a cisco 3005 vpn concentrator and i need to know where i can get a console cable for it the cable is different from the ones i have for my pix and routers as the connection at the concentrator end is a db9 and not rj45
ive tried looking on ebay but with no luck
ps
i live in england
regards
melvyn brownMelvyn,
Use a Straight Through Cable to console into the VPN3000.
I hope it helps.
Regards,
Arul -
Hello,
I know i'm using an end of life product but was hoping for a little help. We are running a Cisco VPN Concentrator 3000 code version 4.7.2 We only have about 40-45 Site to Site Tunnels max. Total connections is 60.
Every time we had add a new site to site tunnel it is causing issues with our existing tunnels with Latency for users. We notice that the latency and CPU on the concentrator is very high. Spiking at 100% for a good amount of time. Off hours this goes down. This has happened with a number of different new tunnels we have brough up over the last few months. We have new SEP cards installed. We cannot get any TAC support so was hoping someone might have had the same issue and can assist.
Thanks,Thanks Andrew. We'll look into adding the SEP-E module. Wouldn't that cause consistent high CPU utilization? We've only seen the CPU spike twice to 100% and stick. Normally it's around 2% so there's not much load on the concentrator. We thought there may be a known bug in the IOS.
-
Ciscoworks and VPN concentrator or PIX
With plain old Ciscoworks LMS is there anything useful that can be done with a PIX or a VPN concentrator as there is no write community string. Can you do anything aside from viewing the box?
Not via SNMP since VPN and PIX boxes by design not allow a SNMP RW string to be configured on them
Maybe you are looking for
-
Crystal Report Viewer Collapse Unneeded Lines
I have a CR open sales order report grouped by sales order number. Crystal report viewer outlines Sales Order #, customer name and doc total in the master line. Underneath that, it shows multi line items contain in that SO. I am wondering, is there a
-
The option to create iCal calendars 'on my mac' has gone since updating to mountain lion
I can create a new calendar 'on my mac' in busycal, but not in ical. I also cannot create a new reminder list 'on my mac' Is this intended behaviour, or is this a bug?
-
Resume from Screen Saver Issues
Hey All, Well...migrated from Leopard to Snow Leopard with minimal issues but In Leopard, after waking from screen saver, a box would prompt for a password. I've gotten SL to do this, but there is no way to switch user. I have multiple users and i'm
-
I have a large event with over 1000 images to choose from to produce a book. My question is; Do I have to search through the whole folder of images on the right hand side of "book mode" or is there some simpler way of doing this? I suspect I have to
-
Hi, How to findout a material is batch managed or not.