Pix 6.3 VPN auth to IAS 2003, Fails?

Unanswered Question
Dec 17th, 2007
User Badges:

Hi

I've got a pix501 runing 6.3 software and an Windows Server 2003 running Active Directory and IAS for my RADIUS service. I've configured many Windows 2000/Pix RADIUS setups in the past and have had no real problems, yet I have yet to be able to get a working Server2003/Pix setup working. Is there something fundamentally different between IAS 2000 and IAS 2003? Here is my pix config;


aaa-server RADIUS (inside) host 192.168.102.7 105vankirkanx_ timeout 10


crypto ipsec transform-set myset esp-des esp-md5-hmac


crypto dynamic-map dynmap 10 set transform-set myset



crypto map mymap2 20 ipsec-isakmp dynamic dynmap


crypto map mymap2 client authentication RADIUS


crypto map mymap2 interface outside-internet



isakmp policy 10 authentication pre-share


isakmp policy 10 encryption des


isakmp policy 10 hash md5


isakmp policy 10 group 2


isakmp policy 10 lifetime 86400


vpngroup butchervpn address-pool ippool


vpngroup butchervpn dns-server 200.1.0.2


vpngroup butchervpn wins-server 200.1.0.2


vpngroup butchervpn default-domain lauzon


vpngroup butchervpn split-tunnel 101


vpngroup butchervpn idle-time 86400


vpngroup butchervpn password ********




And for the IAS 2003 side of things, I've followed this guide;


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml


I know the VPN works because I can switch the auth to LOCAL and VPN in fine with local users. This is the same pix code/setup I've used on IAS 2000 servers and it has always worked fine. Can anyone provide any help with this? Thanks


Jason

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Chris Driggers Tue, 12/18/2007 - 06:43
User Badges:

I am not sure if this is related but I've run into an issue recently where I had a VPN solution working through an ASA 5510 w/RADIUS using an IAS 2003 server. The box IAS was running on was 2003 server SP1. As soon as the customer upgraded to SP2, the integration stopped working. From looking at the logs, the IAS service seems to be fine, it is logging successful authentications. However, the client software just times out after the user submits their active directory username and password.


I've got a TAC case open, and I hope to get some answers today.

Actions

This Discussion