VPN 3005 to IAS authentication failure...|
|
|
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
||||||||||
|
Posted by pix help on March 5, 2007, 2:16 pm
Please log in for more thread options
Getting the following error when trying to authenticate VPN 3005 to IAS box. userid and password are correct. Any suggestions? Help please! Need some advice here. Have VPN up and running with authentication for group & users internal to VPN. I can establish sessions for multiple clients. The vpn inside sits behind Pix. Outside is between 2811 & 515e. I am trying to setup IAS on 2003 box that is sitting behind Pix. I want the concentrator to authenticate group against internal db on 3005 and then pass user authentication to IAS. The IAS box is configured correctly as I can authenticate against it from other hardware. I have reviewed the docs on the cisco site and have the Raduiys with expiry configured correctly based on this information. Is there anything special since a Pix is part of the equation? Has anyone been able to get a config such as this to work? Thanks in advance User \domainuser was denied access. Fully-Qualified-User-Name = \XXXX NAS-IP-Address = 192.168.150.25 (VPN private interface) NAS-Identifier = <not present>
Called-Station-Identifier = 10.10.10.50 (VPN public interface -
Router forwards requests from WAN) Calling-Station-Identifier = XX.XXX.XXX.XXX Client-Friendly-Name = vpn.XXXXXXXX.com Client-IP-Address = 192.168.150.25 (VPN private interface) NAS-Port-Type = Virtual NAS-Port = 1082 Proxy-Policy-Name = test Authentication-Provider = Windows Authentication-Server = <undetermined>
Authentication-Type = MS-CHAPv2
Policy-Name = <undetermined> EAP-Type = <undetermined>
Reason-Code = 16
Reason = Authentication was not successful because an unknown user name or incorrect password was used. | ||||||||||
|
Posted by Town Dummy on March 5, 2007, 11:03 pm
Please log in for more thread options change it over to use IPSec. Microsoft doesn't do anything to explain this. Configuring Internet Authentication Service Before doing anything else, create a new global security group in Active Directory. Call it something like "VPN Users" or similar. We'll use this group later as an additional security check in validating VPN connections. Next, install IAS using the Add/Remove Programs icon in Control Panel. Once it has been installed, launch it from the Administrative Tools folder on the Start Menu and we'll proceed with configuring it for authenticating VPN connections to the PIX firewall. First, we need to grant IAS permission to read dial-in properties from user accounts in Active Directory. To do this, right-click on the "Internet Authentication Service (Local)" and select "Register Server in Active Directory". Select Yes (or OK) if prompted to confirm. With that done, we can now configure the PIX firewall as a RADIUS client. Right-click on RADIUS Clients and select New RADIUS Client. In the wizard, specify the IP address (or DNS name) of the PIX firewall's internal IP address and the shared secret. Note that this shared secret is the same secret key specified in the PIX configuration above. RADIUS clients use this to authenticate to RADIUS servers, so make it a reasonably strong password. Now create a remote access policy. Right-click on Remote Access Policies and select New Remote Access Policy. In the wizard, specify a name, select to create a custom policy, and then add the following conditions to the policy: a.. NAS-IP-Address: This will be the IP address of the PIX firewall's internal interface. This helps to ensure that this policy only applies to VPN requests from this firewall and not from any other RADIUS client. b.. Windows-Groups: This should be the security group created earlier. Any user that should be allowed to authenticate on a VPN connection will need to be a member of this group. The rest of the policy should be very straightforward. Make this policy the first policy (using the Move Up/Move Down commands in the IAS console), add a user to the group created earlier, and then test your connection. Remote systems attempting to connect via PPTP should now be able to authenticate the VPN connection using their Active Directory usernames and passwords. Although this was written from the perspective of authenticating PPTP connections, the process should be very similar for IPSec VPN clients as well. > Hello,
> > Getting the following error when trying to authenticate VPN 3005 to > IAS box. userid and password are correct. Any suggestions? > > Help please! > > Need some advice here. Have VPN up and running with authentication for > group & users internal to VPN. I can establish sessions for multiple > clients. The vpn inside sits behind Pix. Outside is between 2811 & > 515e. I am trying to setup IAS on 2003 box that is sitting behind Pix. > > I want the concentrator to authenticate group against internal db on > 3005 and then pass user authentication to IAS. The IAS box is > configured correctly as I can authenticate against it from other > hardware. I have reviewed the docs on the cisco site and have the > Raduiys with expiry configured correctly based on this information. > > Is there anything special since a Pix is part of the equation? Has > anyone been able to get a config such as this to work? > > Thanks in advance > > User \domainuser was denied access. > Fully-Qualified-User-Name = \XXXX > NAS-IP-Address = 192.168.150.25 (VPN private interface) > NAS-Identifier = <not present> > Called-Station-Identifier = 10.10.10.50 (VPN public interface - > Router forwards requests from WAN) > Calling-Station-Identifier = XX.XXX.XXX.XXX > Client-Friendly-Name = vpn.XXXXXXXX.com > Client-IP-Address = 192.168.150.25 (VPN private interface) > NAS-Port-Type = Virtual > NAS-Port = 1082 > Proxy-Policy-Name = test > Authentication-Provider = Windows > Authentication-Server = <undetermined> > Policy-Name = <undetermined> > Authentication-Type = MS-CHAPv2 > EAP-Type = <undetermined> > Reason-Code = 16 > Reason = Authentication was not successful because an unknown user > name or incorrect password was used. > | ||||||||||
| Similar Threads | Posted |
| VPN 3005 to IAS authentication failure... | March 5, 2007, 2:15 pm |
| VPN 3005 to IAS authentication failure... | March 5, 2007, 2:16 pm |
| VPN 3005 Authentication question | March 12, 2007, 3:46 am |
| Concentrator 3005 AD Authentication Problems | August 16, 2005, 3:16 am |
| Wireless and VLANs - VLAN mapping causes authentication failure | July 20, 2005, 1:49 pm |
| VPN 2811 to 3005 | June 16, 2005, 5:58 am |
| concentrator 3005 | February 14, 2007, 9:16 am |
| VPN 3005 and dyndns? | November 19, 2007, 2:51 pm |
| VPN 3005 keeps rebooting | February 15, 2008, 11:42 am |
| Setup VPN 3005 for use with a preshared key | February 10, 2006, 9:03 am |
| Cisco VPN Concentrator 3005 | August 2, 2006, 12:10 pm |
| 2811, Pix 515e, & 3005 | March 3, 2007, 10:02 pm |
| Cisco 3015 vs 3005 | April 4, 2007, 10:33 am |
| Erase a VPN 3005 Concentrator | September 13, 2007, 8:50 am |
| Cisco VPN 3005 error | June 5, 2008, 2:49 pm |
|
Home Cabling GuideFinally, an instantly downloadable book that saves you thousands in home improvement dollars! Enjoy living in 21st century technology-advanced home while increasing its selling value and competitive advantage on the real estate market. Whether your cabling is for home office or high-tech leisure, you can wire your home yourself or learn "wirish" to speak with your cabling contractors in their language! Learn More |