Notes On H.323 Gatekeepers; Radius With Password Expiry - Cisco CVPN3002-K9 - Fast Ethernet VPN Gateway Getting Started

Chapter 1 Understanding the VPN 3002 Hardware Client

Notes on H.323 GateKeepers

Be aware of the following characteristics of NetMeeting GateKeepers.
NetMeeting Displays Names of Previous Meeting Callers
When an H.323 call is disconnected, the NetMeeting application still displays the names of the meeting
callers in the Call window. Before you place a new call, perform a Hangup operation to remove these
names.
VPN Tunnel Disconnects or a Network Failure Occurs with NetMeeting Active
When a VPN tunnel disconnects without the PC behind the VPN 3002 logging off from the GateKeeper,
problems may occur. This is so whether the VPN session terminates gracefully, or because of a network
failure (NetMeeting PC reboots or VPN 3002 reboots).
Because of the failure to log off, a registration mismatch may occur between the GateKeeper and the
NetMeeting application. The GateKeeper maintains a NetMeeting registration based on a configurable
inactivity timeout period, with the default being one hour. If a PC attempts registration after a disconnect
and before the timeout period has expired, the GateKeeper rejects the request.
The solutions are two:
1.
2.

RADIUS with Password Expiry

RADIUS with password expiry is an IPSec authentication method that you configure for a VPN 3002 on
on the VPN Concentrator to which it connects. This option lets the VPN Concentrator that is attempting
to authenticate an IPSec client to an external RADIUS server (acting as a proxy to an NT server)
determine when a user's password has expired and prompt for a new password. By default, this option
is disabled.
Enabling this option allows the VPN Concentrator to use MS-CHAP-v2 when authenticating an IPSec
client to an external RADIUS server. That RADIUS server must support both MS-CHAP-v2 and the
Microsoft Vendor Specific Attributes. Refer to the documentation for your RADIUS server to verify that
it supports these capabilities.
Because of the use of MS-CHAP-v2, when this option is enabled, the VPN Concentrator can provide
enhanced login failure messages that describe specific error conditions. These conditions are:
•
•
•
•
•
The "password expired" message appears when the user whose password has expired first attempts to
log in. The other messages appear only after three unsuccessful login attempts.
To use RADIUS password expiry with a VPN 3002, you must enable interactive hardware client
Note
authentication. This feature does not work for individual user authentication.
OL-2854-01
Log off from the GateKeeper before disconnecting the tunnel.
Set the GateKeeper registration timeout value to a shorter time period. We recommend 15 minutes.
Use the 'endpoint ttl' command on the Cisco GateKeeper to set this value.
Restricted login hours.
Account disabled.
No dialin permission.
Error changing password.
Authentication failure.
Additional Software Features
VPN 3002 Hardware Client Getting Started
1-11