This section examines some of the commonly found problems and resolutions with the AAA implementation on the VPN 3000 Concentrator, which are not discussed in the preceding sections.
Is it possible to have multiple primary Security Dynamics Incorporated (SDI) servers?
The VPN 3000 Concentrators are able to download the secret file of only one node at a time. In SDI Version pre-5.0, you can add multiple SDI servers, but they must all share the same node secret file. (Think of it as the primary and backup servers.) In SDI Version 5.0, you can enter only the one primary SDI server (the backup servers are listed in the node secret file) and replica servers.
How can I view the user information in the internal user database? It is not visible when I look in the config file.
To view users and passwords, go to Administration > Access Rights > Access Settings, select Config File Encryption=None, and save the config. You should be able to search for the specific user.
How many users can the internal database store?
The number of users is version-dependent and specified in the Configuration > User Management section of the User Guide for your VPN 3000 Concentrator release. A total of 100 users or groups (the sum of users and groups must equal 100 or less) is possible in VPN 3000 Releases 2.2 through 2.5.2. In VPN 3000 Releases 3.0 and later, the number for the 3005 and 3015 Concentrators remains at 100. For the VPN 3030 and 3020 Concentrator, the number is 500. For the VPN 3060 or 3080 Concentrators, the number is 1000. Also, using an external authentication server improves scalability and manageability.
Can I use TACACS+ for administrative authentication? What should I keep in mind while I use it?
Yes, starting in VPN 3000 Concentrator Release 3.0, you can use a TACACS+ for administrative authentication. After you configure TACACS+, make sure you test authentication before you log out. Improper configuration of TACACS+ can lock you out and rectifying the problem requires a console port login in order to disable TACACS+.
What do I do when the administrative password is forgotten?
In versions 2.5.1 and later, connect a PC to the VPN 3000 Concentrator's console port using a straight-through RS-232 serial cable with the PC set for:
9600 bits per second
Eogjt data bits
One stop bit
Hardware flow control on
Reboot the VPN Concentrator. After the diagnostic check is complete, a line of three dots (... ) appears on the console. Press CTRL-C within three seconds after these dots appear. A menu displays that lets you reset the system passwords to their defaults.
What is the purpose of the group name and group password?
The group name and group password are used to create a hash which is then used to create a security association.
What authentication mechanisms and systems does the Cisco VPN 3000 Concentrator Series support for client PCs?
AD, NT Domain, RADIUS or RADIUS proxy, RSA Security SecurID (SDI), Digital Certificates, and internal authentication are supported.