Cisco 3005 with Windows 2003 IAS

Unanswered Question
Mar 7th, 2007

Trying to get a Cisco VPN 3005 to authenticate users on a Windows 2003 IAS service with password Expiry.

Have set up VPN 3005 and IAS using info linked below.

Problem is we see within IAS the user authenticating succesfully. However, the connection fails and the VPN 3005 log shows:

33700 03/07/2007 14:52:32.330 SEV=3 AUTH/5 RPT=8046

Authentication rejected: Reason = Unspecified

handle = 424, server =, user = mark.wright, domain = <not specified>

Any tips on what could be the issue?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Kamal Malhotra Wed, 03/07/2007 - 12:41

Hi Mark,

Are you able to test the user authentication successfully, meaning, when you goto authentication servers and select the RADIUS server and click test, enter the username and password, does it happen or not?



acomiskey Wed, 03/07/2007 - 12:45

Check your IAS logs on the server, that should get you started.

marwright Wed, 03/07/2007 - 12:59

Extract from IAS logs,mark.wright,03/07/2007,04:45:16,IAS,VANAD03,26,0x00000C0420060000000C,4,,61,5,4108,,4116,9,4128,Concentrator,4155,1,4154,Use Windows authentication for all users,4129,NA\mark.wright,4130,NA\mark.wright,4127,1,25,311 1 08/13/2006 10:17:48 22,4136,1,4142,0,mark.wright,03/07/2007,04:45:16,IAS,VANAD03,25,311 1 08/13/2006 10:17:48 22,4127,1,4130,NA\mark.wright,4129,NA\mark.wright,4154,Use Windows authentication for all users,4108,,4116,9,4128,Concentrator,4155,1,4136,3,4142,16,mark.wright,03/07/2007,04:47:24,IAS,VANAD03,26,0x00000C0420060000000C,4,,61,5,4108,,4116,9,4128,Concentrator,4155,1,4154,Use Windows authentication for all users,4129,NA\mark.wright,4130,NA\mark.wright,4127,1,25,311 1 08/13/2006 10:17:48 23,4136,1,4142,0,mark.wright,03/07/2007,04:47:24,IAS,VANAD03,25,311 1 08/13/2006 10:17:48 23,4127,1,4130,NA\mark.wright,4129,NA\mark.wright,4154,Use Windows authentication for all users,4108,,4116,9,4128,Concentrator,4155,1,4136,3,4142,16

marwright Wed, 03/07/2007 - 12:48

Testing from the Concentrator results in a failure. However viewing the IAS logs for the test it indicates the attempt was succesful.

Kamal Malhotra Wed, 03/07/2007 - 13:04

Hi Mark,

I'm not sure but does you server expect a domain_name\username format? If yes, are we trying in the same format?



acomiskey Wed, 03/07/2007 - 13:23

Another guess, I think password expiry requires mschap v2. Is that allowed in the remote access policy on IAS server?

marwright Wed, 03/07/2007 - 13:35


I don't believe so.

The IAS Event View shows the attempt without the domain\ as a Success.

I still fail with domain\username but don't have access now to IAS to verify if that showed as a success or failure.



kaachary Thu, 03/08/2007 - 15:30

Can you check on IAS if the user' are allowed with "Dial-in " access permissions, in Remote Access policy.

Check if this is allowed on per user basis or on group basis.


marwright Mon, 03/19/2007 - 06:34

This was resolved - turned out 'RADIUS w/ Password Expiry' and not been set in the Group.

Thanks All.


This Discussion