VPN 3005 to IAS authentication failure...

Hello,

Getting the following error when trying to authenticate VPN 3005 to IAS box. userid and password are correct. Any suggestions?

Help please!

Need some advice here. Have VPN up and running with authentication for group & users internal to VPN. I can establish sessions for multiple clients. The vpn inside sits behind Pix. Outside is between 2811 &

I want the concentrator to authenticate group against internal db on

Is there anything special since a Pix is part of the equation? Has anyone been able to get a config such as this to work?

Thanks in advance

User \\domainuser was denied access. Fully-Qualified-User-Name = \\XXXX NAS-IP-Address = 192.168.150.25 (VPN private interface) NAS-Identifier = Called-Station-Identifier = 10.10.10.50 (VPN public interface - Router forwards requests from WAN) Calling-Station-Identifier = XX.XXX.XXX.XXX Client-Friendly-Name = vpn.XXXXXXXX.com Client-IP-Address = 192.168.150.25 (VPN private interface) NAS-Port-Type = Virtual NAS-Port = 1082 Proxy-Policy-Name = test Authentication-Provider = Windows Authentication-Server = Policy-Name = Authentication-Type = MS-CHAPv2 EAP-Type = Reason-Code = 16 Reason = Authentication was not successful because an unknown user name or incorrect password was used.

How do you have your IAS box setup? Here's a setup using PPTP but you could change it over to use IPSec. Microsoft doesn't do anything to explain this.

Configuring Internet Authentication Service Before doing anything else, create a new global security group in Active Directory. Call it something like "VPN Users" or similar. We'll use this group later as an additional security check in validating VPN connections.

Next, install IAS using the Add/Remove Programs icon in Control Panel. Once it has been installed, launch it from the Administrative Tools folder on the Start Menu and we'll proceed with configuring it for authenticating VPN connections to the PIX firewall.

First, we need to grant IAS permission to read dial-in properties from user accounts in Active Directory. To do this, right-click on the "Internet Authentication Service (Local)" and select "Register Server in Active Directory". Select Yes (or OK) if prompted to confirm.

With that done, we can now configure the PIX firewall as a RADIUS client. Right-click on RADIUS Clients and select New RADIUS Client. In the wizard, specify the IP address (or DNS name) of the PIX firewall's internal IP address and the shared secret. Note that this shared secret is the same secret key specified in the PIX configuration above. RADIUS clients use this to authenticate to RADIUS servers, so make it a reasonably strong password.

Now create a remote access policy. Right-click on Remote Access Policies and select New Remote Access Policy. In the wizard, specify a name, select to create a custom policy, and then add the following conditions to the policy:

a.. NAS-IP-Address: This will be the IP address of the PIX firewall's internal interface. This helps to ensure that this policy only applies to VPN requests from this firewall and not from any other RADIUS client. b.. Windows-Groups: This should be the security group created earlier. Any user that should be allowed to authenticate on a VPN connection will need to be a member of this group. The rest of the policy should be very straightforward. Make this policy the first policy (using the Move Up/Move Down commands in the IAS console), add a user to the group created earlier, and then test your connection. Remote systems attempting to connect via PPTP should now be able to authenticate the VPN connection using their Active Directory usernames and passwords.

Although this was written from the perspective of authenticating PPTP connections, the process should be very similar for IPSec VPN clients as well.