Analysis of Problem Areas

Analysis of Problem Areas
The problems of AAA implementation on VPN 3000 may be categorized as follows:

VPN concentrator management troubleshooting

Group/user authentication (x-auth) troubleshooting

VPN Concentrator Management Troubleshooting
Only TACACS+ protocol is supported for VPN concentrator management. To control the user who manages the concentrator from the GUI, there must be a concentrator running version 3.0 or above and Cisco Secure ACS 2.4 and above.

Configuration Steps
Configuring the VPN 3000 Concentrator for authentication and authorization with TACACS+ server is a two-step process:

Configuration on the Cisco Secure ACS server


Configuration on the VPN 3000 Concentrator


The following sections explain the steps required to configure TACACS+ for VPN Concentrator Management.

Configuration on the Cisco Secure ACS
Cisco Secure ACS configuration involves defining VPN 3000 Concentrator as an AAA client under the Network Configuration, and defining user profiles. User profiles can be defined either locally on the CS ACS database, or can be configured in external user databases. Refer to Chapter 13, "Troubleshooting Cisco Secure ACS on Windows," for additional detail on external user database integration with CS ACS. The following steps explain how to configure the VPN 3000 Concentrator as an AAA client, and how to create the user profiles locally on the CS ACS:

Step 1. Click Network Configuration in the left Navigation panel. Under AAA Clients click Add Entry.



Step 2. On the next screen, fill out the form to add the VPN 3000 Concentrator as the TACACS client. Define a shared secret, and be sure to enter the same secret on the VPN 3000 Concentrator. Select Authenticate using = TACACS+ (Cisco IOS).


Step 3. Click on the Submit + Restart button.


Step 4. Define a user account that can be used for TACACS+ authentication by the VPN 3000 Concentrator. To do so, click User Setup in the left panel. Add the name of the user (the user is admin), and click Add/Edit. The username does not have to be defined as "admin"; it can be any other name.


Step 5. On the next screen, define the password, and map this user to a specific group. In this example, the user "admin" is mapped to the group, Group 10.


Step 6. Click Submit.


Step 7. Click Group Setup in the left panel. From the drop-down menu, select your group (Group 10 in this example) and click Edit Settings.


Step 8. On the next screen, be sure that the following attributes are selected under TACACS+ Settings: Shell (exec) and Privilege level = 15 as shown in Figure 12-1.



Figure 12-1. Group Setup with Shell Exec Turned On and Privilege Level Set to 15

[View full size image]





Step 9. Click the Submit + Restart button.



Configuration on the VPN 3000 Concentrator
Once CS ACS is configured, configure the VPN 3000 Concentrator to forward the authentication request to the CS ACS server for authentication. Once you turn on TACACS+ for authentication, you can no longer log in to the VPN 3000 Concentrator from the GUI using the local administrative accounts and passwords (admin, config, isp, etc.). However, the access rights for the accounts that are locally defined on the VPN 3000 Concentrator are used to define the privileges a particular TACACS+ user receives when logging in, based on the privilege level defined for the user on the TACACS+ server. So, if you have privilege levels defined for the user profile on the TACACS+ server, after user authentication, the privilege level is downloaded to the VPN 3000 Concentrator. This downloaded privilege level needs to be matched with at least one "AAA Access Level" on the locally configured administrative accounts. Otherwise, authentication fails.

If the corresponding "AAA Access Level" is defined, this externally configured user account will have the same permission as the configured access right for this specific access level. For example, to permit a user to modify the configuration, but not read/write files, assign the user a privilege level of 12 on the TACACS+ server (pick any number between 1 and 15). Then, on the VPN 3000 Concentrator, pick one of the other locally configured administrators. Next, set its AAA Access Level to 12, and set the permissions on this user to be able to modify the configuration, but not to read/write files. Because of the matching privilege/access level, the user gets those permissions when logging in.

The following section details the step-by-step procedure for VPN 3000 Concentrator configurations to assign the user a privilege level of 15:

Step 1. To add an entry for the TACACS Server in the VPN 3000 Concentrator, go to Administration > Access Rights > AAA Servers > Authentication in the navigation tree in the left panel, and then click Add in the right panel.


Step 2. On the next screen, fill out the form as follows with ACS Server IP address: the shared secret key should be the same as that defined on the ACS Server, and the rest of the fields should be left at their defaults.


Step 3. To modify the Admin Account on the Concentrator for TACACS Authentication, go to Administration > Access Rights > Administrators and click Modify for the user "admin" to modify the properties of this user. You may select other administrator accounts to define the AAA Access Level and activate the account.



Step 4. On the next screen, set the AAA Access Level as 15 as shown in Figure 12-2. This level has to be matched with the user privilege level defined on the CS ACS servers for the group profile to which the users belong.



Figure 12-2. Defining AAA Access Level to 15 for One Administrative User on VPN 3000 Concentrator

[View full size image]





Step 5. Click on Apply and Save as needed.



Tip

While turning on AAA for administration purposes on the VPN 3000 Concentrator, it is very important to keep the session from timing out. The default idle timeout for the session is 600 seconds. So, it is recommended to increase this timeout value to 1800 seconds on the Administration > Access Rights > Access Settings screen. Once you perform the test with the authentication server, open a new Web browser window, log in, and be sure the user login and authorization are working as expected before logging out of the current session. Once you are comfortable with the setting, you can change the idle session timeout to default or to any value.



Troubleshooting Steps
Once you are finished with the configuration, do not log out from the session without performing the following test:

Step 1. To test the authentication, go to Administration > Access Rights > AAA Servers > Authentication. Select your server, and then click Test.


Step 2. Your authentication should be successful.



If the authentication fails, turn on logging as discussed in the "Diagnostic Commands and Tools" section. Also, on the CS ACS server under Reports and Activity, look at the active Failed Attempts file. For more details, you may also look at the auth.log file on the CS ACS. The following list outlines some common issues that you need to be aware of:

IP connectivity issue Perform a ping test from the VPN 3000 Concentrator (Administration | Ping) to the AAA server to be sure you don't have a problem with connectivity.

TACACS+ (TCP/49) traffic is blocked between the concentrator and the CS ACS server If you have a firewall between the VPN 3000 Concentrator and the CS ACS server, be sure to open TCP/49 in both directions. For example, if you have a VPN 3000 Concentrator on the DMZ interface of the PIX firewall, and CS ACS server on the inside interface network, you must have an ACL on the DMZ interface to allow the TCP packets with source port any and destination port 49. If the TACACS+ packet is blocked by the PIX firewall, when you perform the Authentication Server Test, you will see this message: Authentication Error: No active server found.

TACACS+ packet is blocked by filter If your TACACS+ server is on the public interface network, then you must allow the TACACS+ packets on the public interface filter. If you do not have both in and out rules for public filters to allow TACACS+ packets, the authentication will fail and display this message while performing the Authentication Server Test: Authentication Error: No active server found. To resolve this problem, create an in rule with a source port any and a destination port TCP/49. Then create an out rule with source port TCP/49 and destination port any. Finally, you must assign these rules to the public interface filter.

Shared secret key mismatch You must be sure that the shared secret keys defined on VPN concentrator and the ACS Server match; otherwise, ACS will not trust VPN 3000 Concentrator and will therefore reject authentication.

Wrong username or password You must ensure that you are entering the right username and password for authentication. Keep in mind that the username and password are case sensitive.

Misconfigured user/group profile on CS ACS server Be sure that on the CS ACS server, in the User or Group profile under "TACACS+ Settings" you have Shell (exec) checked and the appropriate Privilege level is set.

Misconfigured AAA access level on VPN 3000 Concentrator Be sure the Privilege level defined for the TACACS+ users matches the AAA access level set for at least one administrator account. Otherwise, authorization will fail, and therefore the user will be unable to log in to the VPN 3000 Concentrator.

Group/User Authentication (X-Auth) Troubleshooting
For Remote Access VPN, the VPN 3000 Concentrator can be configured to authenticate groups and users. Although user authentication is optional (strongly recommended), group authentication is mandatory. Both group and user authentication can be performed locally on the VPN 3000 Concentrator or on an external user database such as RADIUS Server. The following are the different combinations of group and user authentication locally or with the RADIUS Server:

Both group and user authentications are performed locally on the VPN 3000 Concentrator.

Group authentication is done locally and no user authentication is done.

Group authentication is done locally on the VPN 3000 Concentrator, and user authentication is done with the RADIUS Server.

Group authentication is done with a RADIUS server, and user authentication is done locally.

Both group and user authentication are performed with a RADIUS Server.

The user is locked to a specific group.

CS ACS is used as a RADIUS server with VPN 3000 Concentrator to configure the above scenarios as follows.

Both Group and User Authentication Are Performed Locally on the VPN 3000 Concentrator
To authenticate both groups and users locally on the VPN 3000 Concentrator, you must configure both users and groups locally. Then point both user and group authentication to LOCAL as per the following steps:

Step 1. Go to Configuration > System > Servers > Authentication and click Add. For the Server Type, select Internal, and then click Add.


Step 2. Go to Configuration > System > Pools and click Add. In the new window, define the range of IP addresses and the netmask.


Step 3. Go to Configuration > System > Address Management and check the option you want. To use the address defined in step 2, check the Use Address Pools box.


Step 4. Go to Configuration > User Management > Groups, click Add, and configure the parameters for group identity, DNS, and authentication.


Step 5. On the Identity tab, set the following parameters.


Group Name (case sensitive)
Password (case sensitive)
Type = Internal




Step 6. On the General tab, set the following parameters:


Primary DNS
Secondary DNS
Primary WINS
Secondary WINS



Note

The IP addresses of the two WINS servers are passed to the VPN Client upon connection.

Step 7. On the IPsec tab, set the following parameter:


Authentication=Internal



Step 8. When you have configured these parameters, click Add.



Group Authentication Is Done Locally and No User Authentication Is Done
The configuration for this setup is almost identical to that described in the preceding section with one exception: In Step 7, select None instead of Internal for Authentication.

Group Authentication Is Done Locally on VPN 3000 Concentrator and User Authentication Is Done with RADIUS Server
The configuration steps for this setup are very similar to those described in the section entitled "Both Group and User Authentications are Performed Locally on the VPN 3000 Concentrator" with the following exceptions:

Step 1. Go to Configuration > System > Servers > Authentication and click Add. For the Server Type, select Internal, and then click Add.


Step 2. To configure the CS ACS RADIUS Server, go to Configuration > System > Servers > Authentication, and click Add. Then configure the following parameters:


Server Type: Select RADIUS.
Authentication Server: Enter the IP address or host name of the RADIUS server.
Server Secret: Enter the exact same string as that on the RADIUS server.



Step 3. When you have configured these parameters, click Add.


Step 4. Go to Configuration > System > Address Management and check the Use Address from Authentication Server option to assign the address from CS ACS server.


Step 5. Go to Configuration > User Management > Groups, click Add, and configure the parameters for group identity, DNS, and authentication.


Step 6. On the Identity tab, set the following parameters:


Group Name (case sensitive)
Password (case sensitive)
Type = Internal




Step 7. On the General tab, set the following parameters:


Primary DNS
Secondary DNS
Primary WINS
Secondary WINS



Step 8. On the IPsec tab, set the following parameter:


Authentication=Radius



Step 9. When you have configured these parameters, click Add.



With VPN Concentrator release 3.0 and later, you can configure individual CS ACS RADIUS servers for individual groups, as opposed to having one ACS RADIUS server that is defined globally and used by all groups. Any groups that do not have individual ACS RADIUS servers configured use the ACS server that is defined globally.

You can also choose to define individual ACS RADIUS servers for each group. To do this, go to Configuration > User Management > Groups, highlight a group, and choose Modify Auth Server.

Follow these steps to configure the CS ACS RADIUS server to communicate with the VPN 3000 Concentrator:

Step 1. Add the VPN 3000 Concentrator as a Network Access Server (NAS) on the CS ACS RADIUS server under the Network Configuration section.


Add the IP address of the VPN 3000 Concentrator in the NAS IP Address box.
Add the same key you defined earlier on the VPN 3000 Concentrator in the Key box.
From the Authenticate Using: drop-down menu, select RADIUS (Cisco VPN 3000).



Step 2. Click the Submit + Restart button.


Step 3. Go to user setup, set up the user, and map the user to a specific group.


Step 4. Once finished with this configuration, go back to Test Authentication on the VPN Concentrator for the Authentication server and perform the authentication with the user you have just created.



Group Authentication Is Done with a RADIUS Server and User Authentication Is Done Locally
This is not a very common setup, but it is possible to authenticate the group with a RADIUS server, and authenticate users locally. Upon completion of group authentication, CS ACS replies with the authentication type to Internal to the VPN 3000 concentrator. So, the group name for the VPN 3000 Concentrator needs to be defined as username on the CS ACS server. This still requires that the names of the groups be configured on the VPN 3000 Concentrator, but the group type is configured as "External."

External Groups can return Cisco/Altiga attributes if the RADIUS server supports Vendor Specific Attributes (VSAs).

Any Cisco/Altiga attributes not returned by RADIUS default to the values in the Base Group.

If the RADIUS server does not support VSAs, all attributes default to the Base Group attributes.

Note

A VPN 3000 Concentrator Group name is treated just like a user on the CS ACS server. This username needs to be mapped to a CS ACS group name that is not the same as the VPN 3000 Concentrator Group name.



Work through the following steps to configure the VPN 3000 Concentrator:

Step 1. Go to Configuration > System > Servers > Authentication and click Add. For the Server Type, select Internal, and then click Add.


Step 2. To add the CS ACS RADIUS Server, go to Configuration > System > Servers > Authentication, and click Add. Then configure the following parameters:


Server Type: Select RADIUS.
Authentication Server: Enter the IP address or host name of the RADIUS server.
Server Secret: Enter the exact same string as that on the RADIUS server.



Step 3. When you have configured these parameters, click Add.


Step 4. Go to Configuration > System > Pools and click Add. In the new window, define the range of IP addresses and the netmask.


Step 5. Go to Configuration > System > Address Management and check the option you want. To use the address defined in step 2, check the Use Address Pools box.


Step 6. Go to Configuration > User Management > Groups, click Add, and configure the Identity tab, and set the following parameters:


Group Name (Case Sensitive)
Password (case sensitive)
Type = External


This is the same group name and password you must define when you create a user on the CS ACS RADIUS server for this group name and password.


Step 7. When you have configured these parameters, click Add.



Follow these steps to configure the CS ACS RADIUS server to communicate with the VPN 3000 Concentrator:


Step 1. Add the VPN 3000 Concentrator as a Network Access Server (NAS) on the CS ACS RADIUS server under the Network Configuration section.


Add the IP address of the VPN 3000 Concentrator in the NAS IP Address box.
Add the same key you defined earlier on the VPN 3000 Concentrator in the Key box.
From the Authenticate Using: drop-down menu, select RADIUS (Cisco VPN 3000).



Step 2. Click Submit + Restart button.


Step 3. Go to Interface Configuration > RADIUS (Cisco VPN 3000 Concentrator) and check for both user and group, attribute "[026/3076/013] CVPN3000-IPsec-Authentication," to be sure it appears under both user and group configuration.


Step 4. Go to user setup. Create a user with the same name as the VPN Group name that is defined on the VPN 3000 Concentrator. Map this user into a CS ACS group.


Step 5. Either on the CS ACS user or group profile, check the [3076\013] CVPN3000-IPsec-Authentication attribute under Cisco VPN 3000 Concentrator RADIUS Attributes, and select Internal from the drop-down list.


Step 6. Once finished with this configuration, go back to Test Authentication on the VPN 3000 Concentrator for the Authentication server and perform the authentication with the user you have just created. Remember this username is the same name as the group name that was configured on the VPN 3000 Concentrator.



Both Group and User Authentications Are Performed with the RADIUS Server
If you want to authenticate both group and user with the CS ACS RADIUS server, follow the steps below to configure the VPN 3000 Concentrator:

Step 1. To add the CS ACS RADIUS Server, go to Configuration > System > Servers > Authentication, and click Add. Then configure the following parameters:


Server Type: Select RADIUS.
Authentication Server: Enter the IP address or host name of the RADIUS server.
Server Secret: Enter the exact same string as that on the RADIUS server.



Step 2. When you have configured these parameters, click Add.


Step 3. Go to Configuration > System > Address Management and check the Use Address from Authentication Server option to assign the address from CS ACS server.


Step 4. Go to Configuration > User Management > Groups, click Add, and configure the parameters for group identity, DNS, and authentication.



Step 5. On the Identity tab, set the following parameters.


Group Name (case sensitive)
Password (case sensitive)
Type = External



Step 6. On the General tab, leave the DNS and WINS server IP fields blank. This will be defined on the CS ACS server under user/group profile.


Step 7. On the IPsec tab, set the following parameter:


Authentication=RADIUS



Step 8. When you have configured these parameters, click Add.



Follow these steps to configure the CS ACS RADIUS server to communicate with the VPN 3000 Concentrator:

Step 1. Add the VPN 3000 Concentrator as a network access server (NAS) on the CS ACS RADIUS server under the Network Configuration section.


Add the IP address of the VPN 3000 Concentrator in the NAS IP Address box.
Add the same key you defined earlier on the VPN 3000 Concentrator in the Key box.
From the Authenticate Using: drop-down menu, select RADIUS (Cisco VPN 3000).



Step 2. Click Submit + Restart button.


Step 3. Go to Interface Configuration > RADIUS (Cisco VPN 3000 Concentrator) and check for both user and group, attribute [026/3076/013] CVPN3000-IPsec-Authentication, to be sure it appears under both the user and group configuration. In addition, do the same for the Primary and Secondary DNS and WINS servers attribute.


Step 4. Go to user setup. Create a user with the same name as the VPN Group name defined on the VPN 3000 Concentrator. Map this user into a CS ACS group.


Step 5. Either on the CS ACS user or group profile, check the [3076\013] CVPN3000-IPsec-Authentication attribute under Cisco VPN 3000 Concentrator RADIUS Attributes, and select RADIUS from the drop-down list.


Step 6. Create an actual user profile for Remote Access VPN for user authentication, and map the user to a group. Either on the group or user profile, define the WINS and DNS servers' IP address (both primary and secondary) under the Cisco VPN 3000 Concentrator RADIUS Attributes.


Step 7. Once finished with this configuration, go back to Test Authentication on the VPN 3000 Concentrator for the Authentication server and perform the authentication that you have just created with both user and group. Remember this username is the same name as the group name configured on the VPN 3000 Concentrator.



User Is Locked to a Specific Group
The configuration on the VPN 3000 Concentrator is similar to a standard configuration as discussed earlier with various scenarios. The ability to lock users into a group defined on the VPN 3000 Concentrator is enabled by defining a return attribute in the RADIUS user profile. This attribute contains the VPN 3000 Concentrator group name that you want the user to be locked into. This attribute is the Class attribute (IETF RADIUS attribute number 25), and has to be returned to the VPN Concentrator in the following format:

OU=groupname;

Here groupname is the name of the group on the VPN 3000 Concentrator that the user locks into. OU has to be in capital letters, and there must be a semicolon at the end.

Assume that the VPN Client software is distributed to all users with an existing connection profile using a groupname of Common_Group and password cisco123. Each user has a discrete username/password (in the example, the username/password is cisco/cisco). When the user's name is sent to the RADIUS server, the RADIUS server sends down information on the real group that the user is to be in. In the example, it is Secured_Group.

By doing this, you can completely control the group assignment on the RADIUS server and keep the assignment transparent to the users. If the RADIUS server does not assign a group to the user, the user remains in the Common_Group group, and because the Common_Group group has very restrictive filters, the user cannot pass any traffic. If the RADIUS server does assign a group to the user, the user inherits the attributes, including the less-restrictive filters that are particular to the group. In the example, you would apply a filter to group "Secured_Group" on the VPN Concentrator to permit all traffic.

Here is additional configuration that is needed on the VPN 3000 Concentrator for the Group Lock to work:

Step 1. Define a filter that drops access to everything in the internal network. This is applied to the group "Common_Group," so that even if the users can authenticate into this group and stay in it, they are still not able to access anything.


Step 2. Under Configuration > Policy Management > Traffic Management > Rules, add a rule called Drop All and leave everything at the defaults.


Step 3. Under Configuration > Policy Management > Traffic Management > Filters, create a filter called Drop All and leave everything at the defaults. Add the Drop All rule to it.



Step 4. Under Configuration > User Management > Groups, add a group called Common_Group. This is the group that all users have pre-configured in the VPN Client. They authenticate into this group initially, and then are locked into a different group after user authentication. Define the group just like any other VPN group by defining the password, specifying the authentication type (such as RADIUS or Internal authentication) and so on. Make sure you add the Drop All filter (that you just created) under the General tab. To use RADIUS authentication for users in this group, set the group's Type (under the Identity tab) to Internal and Authentication (under the IPsec tab) to RADIUS. Make sure the Group Lock feature is not checked for this group. Note that even if you do not define a Drop All filter, make sure there is at least one filter defined here.


Step 5. Define the user's ultimate destination group (the example is "Secured_Group"), and apply a filter.



Note

You must define a filter here. If you do not want to block any traffic for these users, create an "Allow All" filter and apply the "Any In" and "Any Out" rules to it. You must define a filter of some kind to pass traffic. To use RADIUS authentication for users in this group, set the group's Type (under the Identity tab) to Internal and Authentication (under the IPsec tab) to RADIUS. Be sure the Group Lock feature is not checked for this group.



Dynamic Filters on the VPN 3000 Concentrator
The VPN 3000 Concentrator allows you to define remote access user filters on an external RADIUS server, such as Cisco Secure ACS, rather than on the VPN 3000 Concentrator. Using an external RADIUS server allows centralized filter management and greater scalability. Also, configuring filters in this way allows you to assign filters to a particular tunnel group or a particular user.

These filters are called dynamic filters because they remain in place only for the duration of the session to which they apply. When a user authenticates via RADIUS, the VPN 3000 Concentrator downloads the filter associated with the user and applies it for the duration of the connection. When the connection finishes, the filter drops.

Configure this feature on the RADIUS server, not on the VPN 3000 Concentrator. (The filters you configure on the VPN 3000 Concentrator are static.)

You can configure a dynamic filter on either a user or a group. If both user dynamic filters and group dynamic filters apply to a single connection, the user filters take precedence. If both dynamic filters and static filters apply to the same connection, the dynamic filters take precedence. The order of precedence is:

Dynamic user filter

Dynamic group filter

Static user filter

Static group filter

Note

If you encounter problems using this feature, debug by tracking the FILTERDBG event class. If you are concerned about filter syntax errors, track events with severity level 6. The error log shows how the VPN Concentrator parses the filter. To view the actual filtering, track events with severity level 9; in this case, be sure to define the filter using the keyword "log."



If you want to see the currently loaded dynamic filter, you may browse to Monitoring > Dynamic Filters Screen.

This screen shows a list of the unique dynamic filters currently in use on the VPN 3000 Concentrator. Select a filter to view its associated rules in the text box below the list of dynamic filters. The syntax of each rule is as follows:

[Prefix] [Action] [Protocol] [Source] [Source Wildcard Mask] [Destination]
[Destination Wildcard Mask] [Established] [Log] [Operator] [Port]:



Table 12-1 shows the meaning of the fields that make up the Dynamic Filters.

Table 12-1. Meaning of Fields for Dynamic Filters Field
Description

Prefix
Unique identifier for the AV pair. For example: ip:inacl#1=. This field appears only when the filter has been sent as an AV pair.

Action
Action to perform if rule matches: deny, permit.

Protocol
Number or name of an IP protocol. Either an integer in the range 0-255 or one of the following keywords: icmp, igmp, ip, tcp, udp.

Source
Network or host from which the packet is sent, specified as an IP address, a hostname, or the keyword "any". If specified as an IP address, the source wildcard mask must follow.

Source Wildcard Mask
The wildcard mask to be applied to the source address.

Destination
Network or host to which the packet is sent, specified as an IP address, a hostname, or the keyword "any". If specified as an IP address, the source wildcard mask must follow.

Destination Wildcard Mask
The wildcard mask to be applied to the destination address.

Log
Generates a FILTER log message. You must use this keyword to generate events of severity level 9.

Operator
Logic operators: greater than, less than, equal to, not equal to.

Port
The number of a TCP or UDP port: in the range 0-65535.





Configuration of Dynamic Filters on CiscoSecure ACS
You can configure dynamic filters on any RADIUS server by using the Cisco vendor-specific RADIUS attribute (26/9/1) AV-Pair to define and transmit attribute/value pairs. In configuring the feature, refer to Table 12-2 for a list of tokens that the VPN Concentrator supports.

Table 12-2. VPN Concentrator-Supported Tokens Token
Syntax Field
Description

ip:inacl#Num=
N/A (Identifier)
(Where Num is a unique integer.) Starts all AV pair access control lists.

Deny
Action
Denies action. (Default.)

Permit
Action
Allows action.

Icmp
Protocol
Internet Control Message Protocol (ICMP).

1
Protocol
Internet Control Message Protocol (ICMP).

IP
Protocol
Internet Protocol (IP).

0
Protocol
Internet Protocol (IP).

TCP
Protocol
Transmission Control Protocol (TCP).

6
Protocol
Transmission Control Protocol (TCP).

UDP
Protocol
User Datagram Protocol (UDP).

17
Protocol
User Datagram Protocol (UDP).

any
Hostname
Rule applies to any host.

host
Hostname
Any alphanumeric string that denotes a hostname.

log
Log
When the event is hit, a filter log message appears. (This is the same as permit and log or deny and log.)

lt
Operator
Less than value.

gt
Operator
Greater than value.

eq
Operator
Equal to value.

neq
Operator
Not equal to value.

range
Operator
Inclusive range. Should be followed by two values.





You can configure Cisco Secure ACS by using either of the following screens:

Using Cisco IOS/PIX RADIUS attributes

Using Downloadable PIX/IP ACLs

Using Cisco IOS/PIX RADIUS Attributes
When you define VPN 3000 Concentrator on the CS ACS under AAA client configuration, be sure to choose the RADIUS (Cisco IOS/PIX) dictionary. In the user/group configuration, under "Cisco IOS/PIX RADIUS Attributes," check "[009\001] cisco-av-pair" box, and define the ACL shown in Example 12-1 in the rectangle text box.

Example 12-1. ACL Needed To Be Created on ACS
ip:inacl#1=permit ip 10.1.1.0 0.0.0.255 host 20.1.1.1
ip:inacl#2=permit ip 10.1.1.0 0.0.0.255 30.1.1.0 0.0.0.255
ip:inacl#3=deny ip 10.1.1.0 0.0.0.255 30.1.1.0 0.0.0.255 log
ip:inacl#4=permit TCP any host 20.1.1.100 eq 80
ip:inacl#5=permit TCP any host HOST12 neq 80





Figure 12-3 shows the mapping of ACL that is outlined in Example 12-5.


Figure 12-3. Screenshot of ACL Definition for Filter Using Cisco AV Pair on a CS ACS Server

[View full size image]





Using Downloadable PIX/IP ACLs
As mentioned earlier, you can use a per user or per group downloadable ACL using the shared profile component on the CS ACS. For Shared Profile components, the syntax for downloadable ACLs is shown in Example 12-2.

Example 12-2. Downloadable ACL Syntax for Shared Profile Components on CS ACS
ip:inacl#1=permit ip 10.1.1.0 0.0.0.255 host 20.1.1.1
ip:inacl#2=permit ip 10.1.1.0 0.0.0.255 30.1.1.0 0.0.0.255
ip:inacl#3=deny ip 10.1.1.0 0.0.0.255 30.1.1.0 0.0.0.255 log
ip:inacl#4=permit TCP any host 20.1.1.100 eq 80
ip:inacl#5=permit TCP any host HOST12 neq 80





Figure 12-4 shows the mapping of the downloadable ACL.


Figure 12-4. VPN Connection Filter Using Downloadable ACL Using Shared Profile Components

[View full size image]





Once the Shared Profile Component for Downloadable IP ACL is created, it needs to be mapped either in a group or user profile under the Downloadable ACLs section by checking the Assign IP ACL box and selecting the Shared Profile created for Downloadable IP ACL. If you do not see the Downloadable ACLs option in the group or user profiles, enable this by going to Interface Configuration > Advanced Options. Check User-Level Downloadable ACLs or Group-Level Downloadable ACLs. Define CS ACS as the RADIUS server on the VPN 3000 Concentrator.

Troubleshooting Steps
The troubleshooting steps and issues discussed in the subsection of "Troubleshooting Steps" under "VPN Concentrator Management Troubleshooting" apply to the troubleshooting steps of this section as well. You need to analyze the ACS Server and the VPN Concentrator log to troubleshoot any failure with authentication. The following are some commonly known reasons for failure:

Authentication failure due to wrong groupname If your client sends the wrong groupname, you will see a message such as Remote peer no longer responding in the VPN client. In the concentrator you may receive the log shown in Example 12-3.

Example 12-3. Failure with Wrong Group Name
6 03/14/2005 22:23:10.540 SEV=4 IKE/22 RPT=2 10.25.35.228
No Group found matching Common_Group1 for Pre-shared key peer 10.1.1.100





Authentication failure due to the wrong group password On the client, you may receive Failed to establish secure connection to the security gateway. In the VPN log, you might see a log similar to that shown in Example 12-4.

Example 12-4. Failure Due to Wrong Group Password
256 03/14/2005 22:42:02.780 SEV=8 IKEDBG/81 RPT=71 10.1.1.100
RECEIVED Message (msgid=0) with payloads :
HDR + NOTIFY (11) + NONE (0)
total length : 40

258 03/14/2005 22:42:02.780 SEV=4 IKE/0 RPT=16 10.1.1.100
Group [Common_Group]
received an unencrypted packet when crypto active!! Dropping packet.





Authentication failure due to wrong username or password On the client, you may receive this message: User authentication failed after giving three options to enter the correct password, but on the concentrator you would receive the log shown in Example 12-5.

Example 12-5. Failure Due to Wrong User Name
582 03/14/2005 22:31:52.440 SEV=8 AUTHDBG/58 RPT=19
AUTH_Callback(7af0440, 0, 0)

583 03/14/2005 22:31:52.440 SEV=3 AUTH/5 RPT=24 10.1.1.100
Authentication rejected: Reason = Unspecified
handle = 125, server = 10.1.1.40, user = cisco123, domain =





Authentication failure due to group lock If the Group Lock feature is enabled on the GroupCommon_Group, the user must be part of Common_Group to connect. If the user belongs to a different group such as "Secured_Group," "cisco123" would not connect because it is part of the group named Secure_Group and not part of the group named Common_Group. Authentication would fail with the same message as shown in Example 12-6.

Example 12-6. Authentication Failure Due to Group Lock
585 03/14/2005 22:32:50.441 SEV=4 IKE/60 RPT=25 10.1.1.100
User [ cisco123 ]
User (cisco123) not member of group (Common_Group), authentication failed.





This Troubleshooting section concludes the "Analysis of Problem Areas" section. The next section discusses a case study for the password expiry feature with Windows NT/2000 domain controller integrated with CS ACS.