ASA, Microsoft VPN client and Active Directory again

Unanswered Question
Jan 19th, 2009
User Badges:

Hell!

I've successfully setup ASA5510 + VPN client + Local author+authen, checked if VPN tunnel is established and it was. Then I followed http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008060f261.shtml to setup Kerberos authentication + LDAP authorization, I checked the time settings and Preauthorization in AD for the test vpn user, then I tested both functions. It worked.

However, when I try to establish VPN connection using the very same username as when I test from ASDM, I get the following output in the Real Time Log Viewer


4|Jan 19 2009|17:36:11|713903|||||Group = DefaultRAGroup, IP = 195.128.91.24, Information Exchange processing failed

4|Jan 19 2009|17:36:01|113019|||||Group = DefaultRAGroup, Username = , IP = 195.128.91.24, Session disconnected. Session Type: IPsecOverNatT, Duration: 0h:00m:02s, Bytes xmt: 800, Bytes rcv: 1098, Reason: L2TP initiated

6|Jan 19 2009|17:36:01|602304|||||IPSEC: An outbound remote access SA (SPI= 0x0F05B74A) between 195.128.91.254 and 195.128.91.24 (user= DefaultRAGroup) has been deleted.

6|Jan 19 2009|17:36:01|602304|||||IPSEC: An inbound remote access SA (SPI= 0xCCD70173) between 195.128.91.254 and 195.128.91.24 (user= DefaultRAGroup) has been deleted.

6|Jan 19 2009|17:36:01|603107|||||L2TP Tunnel deleted, tunnel_id = 82, remote_peer_ip = 195.128.91.24

6|Jan 19 2009|17:36:01|603106|||||L2TP Tunnel created, tunnel_id is 82, remote_peer_ip is 195.128.91.24

4|Jan 19 2009|17:36:01|737013|||||IPAA: Error freeing address 0.0.0.0, not found

6|Jan 19 2009|17:36:01|113005|||||AAA user authentication Rejected : reason = Unspecified : server = 192.168.91.25 : user = vpnclient

6|Jan 19 2009|17:36:00|302015|192.168.91.25|88|192.168.91.11|61682|Built outbound UDP connection 842 for inside:192.168.91.25/88 (192.168.91.25/88) to identity:192.168.91.11/61682 (192.168.91.11/61682)

6|Jan 19 2009|17:36:00|302015|195.128.91.24|1753|195.128.91.254|1701|Built inbound UDP connection 841 for outside:195.128.91.24/1753 (195.128.91.24/1753) to identity:195.128.91.254/1701 (195.128.91.254/1701)

5|Jan 19 2009|17:35:59|713120|||||Group = DefaultRAGroup, IP = 195.128.91.24, PHASE 2 COMPLETED (msgid=d365e0c5)

6|Jan 19 2009|17:35:59|602303|||||IPSEC: An inbound remote access SA (SPI= 0xCCD70173) between 195.128.91.254 and 195.128.91.24 (user= DefaultRAGroup) has been created.

5|Jan 19 2009|17:35:59|713049|||||Group = DefaultRAGroup, IP = 195.128.91.24, Security negotiation complete for User () Responder, Inbound SPI = 0xccd70173, Outbound SPI = 0x0f05b74a

6|Jan 19 2009|17:35:59|602303|||||IPSEC: An outbound remote access SA (SPI= 0x0F05B74A) between 195.128.91.254 and 195.128.91.24 (user= DefaultRAGroup) has been created.

6|Jan 19 2009|17:35:59|713177|||||Group = DefaultRAGroup, IP = 195.128.91.24, Received remote Proxy Host FQDN in ID Payload: Host Name: ws-nsk02.compumark.lexmark.ru Address 195.128.91.24, Protocol 17, Port 1701

5|Jan 19 2009|17:35:59|713119|||||Group = DefaultRAGroup, IP = 195.128.91.24, PHASE 1 COMPLETED

6|Jan 19 2009|17:35:59|113009|||||AAA retrieved default group policy (DefaultRAGroup) for user = DefaultRAGroup

4|Jan 19 2009|17:35:59|713903|||||Group = DefaultRAGroup, IP = 195.128.91.24, Freeing previously allocated memory for authorization-dn-attributes

6|Jan 19 2009|17:35:59|713172|||||Group = DefaultRAGroup, IP = 195.128.91.24, Automatic NAT Detection Status: Remote end IS behind a NAT device This end is NOT behind a NAT device



If I switch back to local authentication and authorization VPN clients get connected without any problem.


Why is the reason unspecified and what else should I check?


Thank you!



Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Ivan Martinon Mon, 01/19/2009 - 09:52
User Badges:
  • Cisco Employee,

Can you go ahead and set the tunnel ppp attributes to be PAP instead of mschap v2 and try again? if that does not work then go ahead and set debug kerberos 128 and upload the debugs. Also make sure your client is set to pap when testing this l2tp connection.

nkaretnikov Tue, 01/20/2009 - 00:19
User Badges:

Thank you!

I've tried PAP and it worked without any problem. Then I switched back to MS-CHAP-V2 and it didn't. Setting debug kerberos 128 lead to the following output while VPN client reporting "Verifying username and password" and the last 2 strings seem continue on the console until I force "exit" command in the terminal session.

Do you have any ideas what goes wrong here?

Thank you!



Ivan Martinon Tue, 01/20/2009 - 07:53
User Badges:
  • Cisco Employee,

I am not entirely sure if Kerberos as a protocol supports mschap v2 hashing that's why when setting it to PAP it worked fine. I would go ahead and check the settings on your AD server to verify whether mschapv2 is accepted by it.

Actions

This Discussion