03-07-2007 12:16 PM
Trying to get a Cisco VPN 3005 to authenticate users on a Windows 2003 IAS service with password Expiry.
Have set up VPN 3005 and IAS using info linked below.
Problem is we see within IAS the user authenticating succesfully. However, the connection fails and the VPN 3005 log shows:
33700 03/07/2007 14:52:32.330 SEV=3 AUTH/5 RPT=8046
Authentication rejected: Reason = Unspecified
handle = 424, server = 10.1.96.38, user = mark.wright, domain = <not specified>
Any tips on what could be the issue?
03-07-2007 12:41 PM
Hi Mark,
Are you able to test the user authentication successfully, meaning, when you goto authentication servers and select the RADIUS server and click test, enter the username and password, does it happen or not?
Regards,
Kamal
03-07-2007 12:45 PM
Check your IAS logs on the server, that should get you started.
03-07-2007 12:59 PM
Extract from IAS logs
10.0.1.5,mark.wright,03/07/2007,04:45:16,IAS,VANAD03,26,0x00000C0420060000000C,4,10.0.1.5,61,5,4108,10.0.1.5,4116,9,4128,Concentrator,4155,1,4154,Use Windows authentication for all users,4129,NA\mark.wright,4130,NA\mark.wright,4127,1,25,311 1 10.1.96.38 08/13/2006 10:17:48 22,4136,1,4142,0
10.0.1.5,mark.wright,03/07/2007,04:45:16,IAS,VANAD03,25,311 1 10.1.96.38 08/13/2006 10:17:48 22,4127,1,4130,NA\mark.wright,4129,NA\mark.wright,4154,Use Windows authentication for all users,4108,10.0.1.5,4116,9,4128,Concentrator,4155,1,4136,3,4142,16
10.0.1.5,mark.wright,03/07/2007,04:47:24,IAS,VANAD03,26,0x00000C0420060000000C,4,10.0.1.5,61,5,4108,10.0.1.5,4116,9,4128,Concentrator,4155,1,4154,Use Windows authentication for all users,4129,NA\mark.wright,4130,NA\mark.wright,4127,1,25,311 1 10.1.96.38 08/13/2006 10:17:48 23,4136,1,4142,0
10.0.1.5,mark.wright,03/07/2007,04:47:24,IAS,VANAD03,25,311 1 10.1.96.38 08/13/2006 10:17:48 23,4127,1,4130,NA\mark.wright,4129,NA\mark.wright,4154,Use Windows authentication for all users,4108,10.0.1.5,4116,9,4128,Concentrator,4155,1,4136,3,4142,16
03-07-2007 12:48 PM
Testing from the Concentrator results in a failure. However viewing the IAS logs for the test it indicates the attempt was succesful.
03-07-2007 01:04 PM
Hi Mark,
I'm not sure but does you server expect a domain_name\username format? If yes, are we trying in the same format?
Regards,
Kamal
03-07-2007 01:23 PM
Another guess, I think password expiry requires mschap v2. Is that allowed in the remote access policy on IAS server?
03-07-2007 01:35 PM
Kamal,
I don't believe so.
The IAS Event View shows the attempt without the domain\ as a Success.
I still fail with domain\username but don't have access now to IAS to verify if that showed as a success or failure.
Thanks,
Mark
03-08-2007 03:30 PM
Can you check on IAS if the user' are allowed with "Dial-in " access permissions, in Remote Access policy.
Check if this is allowed on per user basis or on group basis.
-Kanishka
03-19-2007 06:34 AM
This was resolved - turned out 'RADIUS w/ Password Expiry' and not been set in the Group.
Thanks All.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: