How do you have your IAS box setup? Here's a setup using PPTP but you could
change it over to use IPSec. Microsoft doesn't do anything to explain this.
Configuring Internet Authentication Service
Before doing anything else, create a new global security group in Active
Directory. Call it something like "VPN Users" or similar. We'll use this
group later as an additional security check in validating VPN connections.
Next, install IAS using the Add/Remove Programs icon in Control Panel. Once
it has been installed, launch it from the Administrative Tools folder on the
Start Menu and we'll proceed with configuring it for authenticating VPN
connections to the PIX firewall.
First, we need to grant IAS permission to read dial-in properties from user
accounts in Active Directory. To do this, right-click on the "Internet
Authentication Service (Local)" and select "Register Server in Active
Directory". Select Yes (or OK) if prompted to confirm.
With that done, we can now configure the PIX firewall as a RADIUS client.
Right-click on RADIUS Clients and select New RADIUS Client. In the wizard,
specify the IP address (or DNS name) of the PIX firewall's internal IP
address and the shared secret. Note that this shared secret is the same
secret key specified in the PIX configuration above. RADIUS clients use
this to authenticate to RADIUS servers, so make it a reasonably strong
password.
Now create a remote access policy. Right-click on Remote Access Policies
and select New Remote Access Policy. In the wizard, specify a name, select
to create a custom policy, and then add the following conditions to the
policy:
a.. NAS-IP-Address: This will be the IP address of the PIX firewall's
internal interface. This helps to ensure that this policy only applies to
VPN requests from this firewall and not from any other RADIUS client.
b.. Windows-Groups: This should be the security group created earlier.
Any user that should be allowed to authenticate on a VPN connection will
need to be a member of this group.
The rest of the policy should be very straightforward. Make this policy the
first policy (using the Move Up/Move Down commands in the IAS console), add
a user to the group created earlier, and then test your connection. Remote
systems attempting to connect via PPTP should now be able to authenticate
the VPN connection using their Active Directory usernames and passwords.
Although this was written from the perspective of authenticating PPTP
connections, the process should be very similar for IPSec VPN clients as
well.
"pix help" <> wrote in message
news: ups.com...
> Hello,
>
> Getting the following error when trying to authenticate VPN 3005 to
> IAS box. userid and password are correct. Any suggestions?
>
> Help please!
>
> Need some advice here. Have VPN up and running with authentication for
> group & users internal to VPN. I can establish sessions for multiple
> clients. The vpn inside sits behind Pix. Outside is between 2811 &
> 515e. I am trying to setup IAS on 2003 box that is sitting behind Pix.
>
> I want the concentrator to authenticate group against internal db on
> 3005 and then pass user authentication to IAS. The IAS box is
> configured correctly as I can authenticate against it from other
> hardware. I have reviewed the docs on the cisco site and have the
> Raduiys with expiry configured correctly based on this information.
>
> Is there anything special since a Pix is part of the equation? Has
> anyone been able to get a config such as this to work?
>
> Thanks in advance
>
> User \domainuser was denied access.
> Fully-Qualified-User-Name = \XXXX
> NAS-IP-Address = 192.168.150.25 (VPN private interface)
> NAS-Identifier = <not present>
> Called-Station-Identifier = 10.10.10.50 (VPN public interface -
> Router forwards requests from WAN)
> Calling-Station-Identifier = XX.XXX.XXX.XXX
> Client-Friendly-Name = vpn.XXXXXXXX.com
> Client-IP-Address = 192.168.150.25 (VPN private interface)
> NAS-Port-Type = Virtual
> NAS-Port = 1082
> Proxy-Policy-Name = test
> Authentication-Provider = Windows
> Authentication-Server = <undetermined>
> Policy-Name = <undetermined>
> Authentication-Type = MS-CHAPv2
> EAP-Type = <undetermined>
> Reason-Code = 16
> Reason = Authentication was not successful because an unknown user
> name or incorrect password was used.
>
|
Similar Threads
