VPN 3005 to IAS authentication failure...

Discussion in 'Cisco' started by pix help, Mar 5, 2007.

  1. pix help

    pix help Guest

    Hello,

    Getting the following error when trying to authenticate VPN 3005 to
    IAS box. userid and password are correct. Any suggestions?

    Help please!

    Need some advice here. Have VPN up and running with authentication for
    group & users internal to VPN. I can establish sessions for multiple
    clients. The vpn inside sits behind Pix. Outside is between 2811 &
    515e. I am trying to setup IAS on 2003 box that is sitting behind Pix.

    I want the concentrator to authenticate group against internal db on
    3005 and then pass user authentication to IAS. The IAS box is
    configured correctly as I can authenticate against it from other
    hardware. I have reviewed the docs on the cisco site and have the
    Raduiys with expiry configured correctly based on this information.

    Is there anything special since a Pix is part of the equation? Has
    anyone been able to get a config such as this to work?

    Thanks in advance

    User \domainuser was denied access.
    Fully-Qualified-User-Name = \XXXX
    NAS-IP-Address = 192.168.150.25 (VPN private interface)
    NAS-Identifier = <not present>
    Called-Station-Identifier = 10.10.10.50 (VPN public interface -
    Router forwards requests from WAN)
    Calling-Station-Identifier = XX.XXX.XXX.XXX
    Client-Friendly-Name = vpn.XXXXXXXX.com
    Client-IP-Address = 192.168.150.25 (VPN private interface)
    NAS-Port-Type = Virtual
    NAS-Port = 1082
    Proxy-Policy-Name = test
    Authentication-Provider = Windows
    Authentication-Server = <undetermined>
    Policy-Name = <undetermined>
    Authentication-Type = MS-CHAPv2
    EAP-Type = <undetermined>
    Reason-Code = 16
    Reason = Authentication was not successful because an unknown user
    name or incorrect password was used.
    pix help, Mar 5, 2007
    #1
    1. Advertising

  2. pix help

    Town Dummy Guest

    How do you have your IAS box setup? Here's a setup using PPTP but you could
    change it over to use IPSec. Microsoft doesn't do anything to explain this.

    Configuring Internet Authentication Service
    Before doing anything else, create a new global security group in Active
    Directory. Call it something like "VPN Users" or similar. We'll use this
    group later as an additional security check in validating VPN connections.

    Next, install IAS using the Add/Remove Programs icon in Control Panel. Once
    it has been installed, launch it from the Administrative Tools folder on the
    Start Menu and we'll proceed with configuring it for authenticating VPN
    connections to the PIX firewall.

    First, we need to grant IAS permission to read dial-in properties from user
    accounts in Active Directory. To do this, right-click on the "Internet
    Authentication Service (Local)" and select "Register Server in Active
    Directory". Select Yes (or OK) if prompted to confirm.

    With that done, we can now configure the PIX firewall as a RADIUS client.
    Right-click on RADIUS Clients and select New RADIUS Client. In the wizard,
    specify the IP address (or DNS name) of the PIX firewall's internal IP
    address and the shared secret. Note that this shared secret is the same
    secret key specified in the PIX configuration above. RADIUS clients use
    this to authenticate to RADIUS servers, so make it a reasonably strong
    password.

    Now create a remote access policy. Right-click on Remote Access Policies
    and select New Remote Access Policy. In the wizard, specify a name, select
    to create a custom policy, and then add the following conditions to the
    policy:

    a.. NAS-IP-Address: This will be the IP address of the PIX firewall's
    internal interface. This helps to ensure that this policy only applies to
    VPN requests from this firewall and not from any other RADIUS client.
    b.. Windows-Groups: This should be the security group created earlier.
    Any user that should be allowed to authenticate on a VPN connection will
    need to be a member of this group.
    The rest of the policy should be very straightforward. Make this policy the
    first policy (using the Move Up/Move Down commands in the IAS console), add
    a user to the group created earlier, and then test your connection. Remote
    systems attempting to connect via PPTP should now be able to authenticate
    the VPN connection using their Active Directory usernames and passwords.

    Although this was written from the perspective of authenticating PPTP
    connections, the process should be very similar for IPSec VPN clients as
    well.

    "pix help" <> wrote in message
    news:...
    > Hello,
    >
    > Getting the following error when trying to authenticate VPN 3005 to
    > IAS box. userid and password are correct. Any suggestions?
    >
    > Help please!
    >
    > Need some advice here. Have VPN up and running with authentication for
    > group & users internal to VPN. I can establish sessions for multiple
    > clients. The vpn inside sits behind Pix. Outside is between 2811 &
    > 515e. I am trying to setup IAS on 2003 box that is sitting behind Pix.
    >
    > I want the concentrator to authenticate group against internal db on
    > 3005 and then pass user authentication to IAS. The IAS box is
    > configured correctly as I can authenticate against it from other
    > hardware. I have reviewed the docs on the cisco site and have the
    > Raduiys with expiry configured correctly based on this information.
    >
    > Is there anything special since a Pix is part of the equation? Has
    > anyone been able to get a config such as this to work?
    >
    > Thanks in advance
    >
    > User \domainuser was denied access.
    > Fully-Qualified-User-Name = \XXXX
    > NAS-IP-Address = 192.168.150.25 (VPN private interface)
    > NAS-Identifier = <not present>
    > Called-Station-Identifier = 10.10.10.50 (VPN public interface -
    > Router forwards requests from WAN)
    > Calling-Station-Identifier = XX.XXX.XXX.XXX
    > Client-Friendly-Name = vpn.XXXXXXXX.com
    > Client-IP-Address = 192.168.150.25 (VPN private interface)
    > NAS-Port-Type = Virtual
    > NAS-Port = 1082
    > Proxy-Policy-Name = test
    > Authentication-Provider = Windows
    > Authentication-Server = <undetermined>
    > Policy-Name = <undetermined>
    > Authentication-Type = MS-CHAPv2
    > EAP-Type = <undetermined>
    > Reason-Code = 16
    > Reason = Authentication was not successful because an unknown user
    > name or incorrect password was used.
    >
    Town Dummy, Mar 6, 2007
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. GKurcon
    Replies:
    5
    Views:
    3,821
    GKurcon
    Mar 7, 2004
  2. Paul Mclean
    Replies:
    1
    Views:
    2,987
    Scott Lowe
    Nov 29, 2004
  3. machine
    Replies:
    1
    Views:
    4,536
    Hoffa
    Aug 17, 2006
  4. pix help
    Replies:
    0
    Views:
    324
    pix help
    Mar 5, 2007
  5. Replies:
    1
    Views:
    344
    Brian V
    Mar 12, 2007
Loading...

Share This Page