When using Digital certificates for authentication I am facing problems if the vpn3000 internal user database is used for extended authentication. If an internal user is created and if that user does not belong to the VPNC_base_group then the extended authentication fails. i.e. if a new group is created for remote dialup users ( e.g. ipsecgroup) and the internal user (e.g. ipsecuser) is configured to belong to the "ipsecgroup" group. Then the internal user authentication fails (if using digital certificates). If using preshared keys, and if the user is made part of the ipsecgroup then the user does get authenticated. In the "IPSec Parameters" we have a field named "IKE Peer identity validation" for remote dialup users where we can force the concentrator to validate the user based on the attributes in his public certificate. This makes me believe that even if a user is made part of a particular group ( e.g. ipsecgroup) and if that user is using Digital certificates for session authentication the whole thing should still work. Any ideas? ............. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=16172&t=16172 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]