Re: VPN 3005 to IAS authentication failure...
- From: "Town Dummy" <none@xxxxxxxx>
- Date: Tue, 06 Mar 2007 04:03:22 GMT
How do you have your IAS box setup? Here's a setup using PPTP but you could
change it over to use IPSec. Microsoft doesn't do anything to explain this.
Configuring Internet Authentication Service
Before doing anything else, create a new global security group in Active
Directory. Call it something like "VPN Users" or similar. We'll use this
group later as an additional security check in validating VPN connections.
Next, install IAS using the Add/Remove Programs icon in Control Panel. Once
it has been installed, launch it from the Administrative Tools folder on the
Start Menu and we'll proceed with configuring it for authenticating VPN
connections to the PIX firewall.
First, we need to grant IAS permission to read dial-in properties from user
accounts in Active Directory. To do this, right-click on the "Internet
Authentication Service (Local)" and select "Register Server in Active
Directory". Select Yes (or OK) if prompted to confirm.
With that done, we can now configure the PIX firewall as a RADIUS client.
Right-click on RADIUS Clients and select New RADIUS Client. In the wizard,
specify the IP address (or DNS name) of the PIX firewall's internal IP
address and the shared secret. Note that this shared secret is the same
secret key specified in the PIX configuration above. RADIUS clients use
this to authenticate to RADIUS servers, so make it a reasonably strong
password.
Now create a remote access policy. Right-click on Remote Access Policies
and select New Remote Access Policy. In the wizard, specify a name, select
to create a custom policy, and then add the following conditions to the
policy:
a.. NAS-IP-Address: This will be the IP address of the PIX firewall's
internal interface. This helps to ensure that this policy only applies to
VPN requests from this firewall and not from any other RADIUS client.
b.. Windows-Groups: This should be the security group created earlier.
Any user that should be allowed to authenticate on a VPN connection will
need to be a member of this group.
The rest of the policy should be very straightforward. Make this policy the
first policy (using the Move Up/Move Down commands in the IAS console), add
a user to the group created earlier, and then test your connection. Remote
systems attempting to connect via PPTP should now be able to authenticate
the VPN connection using their Active Directory usernames and passwords.
Although this was written from the perspective of authenticating PPTP
connections, the process should be very similar for IPSec VPN clients as
well.
"pix help" <listserve2006@xxxxxxxxxxxx> wrote in message
news:1173122168.631842.45210@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hello,
Getting the following error when trying to authenticate VPN 3005 to
IAS box. userid and password are correct. Any suggestions?
Help please!
Need some advice here. Have VPN up and running with authentication for
group & users internal to VPN. I can establish sessions for multiple
clients. The vpn inside sits behind Pix. Outside is between 2811 &
515e. I am trying to setup IAS on 2003 box that is sitting behind Pix.
I want the concentrator to authenticate group against internal db on
3005 and then pass user authentication to IAS. The IAS box is
configured correctly as I can authenticate against it from other
hardware. I have reviewed the docs on the cisco site and have the
Raduiys with expiry configured correctly based on this information.
Is there anything special since a Pix is part of the equation? Has
anyone been able to get a config such as this to work?
Thanks in advance
User \domainuser was denied access.
Fully-Qualified-User-Name = \XXXX
NAS-IP-Address = 192.168.150.25 (VPN private interface)
NAS-Identifier = <not present>
Called-Station-Identifier = 10.10.10.50 (VPN public interface -
Router forwards requests from WAN)
Calling-Station-Identifier = XX.XXX.XXX.XXX
Client-Friendly-Name = vpn.XXXXXXXX.com
Client-IP-Address = 192.168.150.25 (VPN private interface)
NAS-Port-Type = Virtual
NAS-Port = 1082
Proxy-Policy-Name = test
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = <undetermined>
Authentication-Type = MS-CHAPv2
EAP-Type = <undetermined>
Reason-Code = 16
Reason = Authentication was not successful because an unknown user
name or incorrect password was used.
.
- References:
- VPN 3005 to IAS authentication failure...
- From: pix help
- VPN 3005 to IAS authentication failure...
- Prev by Date: Re: Use ISDN router as switch?
- Next by Date: Re: Frame Relay -HQ-remote offices slow connection
- Previous by thread: VPN 3005 to IAS authentication failure...
- Next by thread: disable telnet server in cisco router?
- Index(es):
Relevant Pages
|
