cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
474
Views
0
Helpful
9
Replies

Cisco 3005 with Windows 2003 IAS

marwright
Level 1
Level 1

Trying to get a Cisco VPN 3005 to authenticate users on a Windows 2003 IAS service with password Expiry.

Have set up VPN 3005 and IAS using info linked below.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00800c3917.shtml

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a0080094700.shtml

Problem is we see within IAS the user authenticating succesfully. However, the connection fails and the VPN 3005 log shows:

33700 03/07/2007 14:52:32.330 SEV=3 AUTH/5 RPT=8046

Authentication rejected: Reason = Unspecified

handle = 424, server = 10.1.96.38, user = mark.wright, domain = <not specified>

Any tips on what could be the issue?

9 Replies 9

Kamal Malhotra
Cisco Employee
Cisco Employee

Hi Mark,

Are you able to test the user authentication successfully, meaning, when you goto authentication servers and select the RADIUS server and click test, enter the username and password, does it happen or not?

Regards,

Kamal

Check your IAS logs on the server, that should get you started.

Extract from IAS logs

10.0.1.5,mark.wright,03/07/2007,04:45:16,IAS,VANAD03,26,0x00000C0420060000000C,4,10.0.1.5,61,5,4108,10.0.1.5,4116,9,4128,Concentrator,4155,1,4154,Use Windows authentication for all users,4129,NA\mark.wright,4130,NA\mark.wright,4127,1,25,311 1 10.1.96.38 08/13/2006 10:17:48 22,4136,1,4142,0

10.0.1.5,mark.wright,03/07/2007,04:45:16,IAS,VANAD03,25,311 1 10.1.96.38 08/13/2006 10:17:48 22,4127,1,4130,NA\mark.wright,4129,NA\mark.wright,4154,Use Windows authentication for all users,4108,10.0.1.5,4116,9,4128,Concentrator,4155,1,4136,3,4142,16

10.0.1.5,mark.wright,03/07/2007,04:47:24,IAS,VANAD03,26,0x00000C0420060000000C,4,10.0.1.5,61,5,4108,10.0.1.5,4116,9,4128,Concentrator,4155,1,4154,Use Windows authentication for all users,4129,NA\mark.wright,4130,NA\mark.wright,4127,1,25,311 1 10.1.96.38 08/13/2006 10:17:48 23,4136,1,4142,0

10.0.1.5,mark.wright,03/07/2007,04:47:24,IAS,VANAD03,25,311 1 10.1.96.38 08/13/2006 10:17:48 23,4127,1,4130,NA\mark.wright,4129,NA\mark.wright,4154,Use Windows authentication for all users,4108,10.0.1.5,4116,9,4128,Concentrator,4155,1,4136,3,4142,16

Testing from the Concentrator results in a failure. However viewing the IAS logs for the test it indicates the attempt was succesful.

Hi Mark,

I'm not sure but does you server expect a domain_name\username format? If yes, are we trying in the same format?

Regards,

Kamal

Another guess, I think password expiry requires mschap v2. Is that allowed in the remote access policy on IAS server?

Kamal,

I don't believe so.

The IAS Event View shows the attempt without the domain\ as a Success.

I still fail with domain\username but don't have access now to IAS to verify if that showed as a success or failure.

Thanks,

Mark

Can you check on IAS if the user' are allowed with "Dial-in " access permissions, in Remote Access policy.

Check if this is allowed on per user basis or on group basis.

-Kanishka

This was resolved - turned out 'RADIUS w/ Password Expiry' and not been set in the Group.

Thanks All.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: