Router VPN authenticaiton fail via windows 2008 NPS radius

cjrchoi11 · ‎10-24-2009

Hi,

Cisco router trying VPN authentcatoin via windows 2008 NPS RADIUS server but "Access-Reject" by NPS.

1. windows 2008 NAP

1) radius clients

-address=10.10.10.1 (router IP address)

-vendor name=radius stanadard

-sharded key=manual

-key=12345

2) netrork policies

-accesspermission=grant access

-type of netwrok access server=unspecified

-condition=Domain Admins

-constraints,

>authentication methods=check mark on "unencrypted authentication(PAP,SPAP). all others uncheck

>NAS port type=VPN

-settings

>standard=remove all

>vendor specific=Cisco-AV-Pair, Cisco, shell:priv-lvl=15

3) windows 2008 listening UDP 1645

4) wireshark trace

Access-Request (udp 1645) from Cisco router

Access-Reject by radius server

2. Cisco router

!

aaa new-model

!

aaa authentication login user_auth local

aaa authorization network group_auth local

!

crypto map clientmap client authentication list user_auth

crypto map clientmap isakmp authorization list group_auth

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

radius-server host 10.10.10.10 auth-port 1645 acct-port 1646 key 12345

!

(truncated)

!

-debug redius

!

*Oct 24 18:44:34.845: RADIUS/ENCODE(00000042):Orig. component type = VPN_IPSEC

*Oct 24 18:44:34.845: RADIUS(00000042): Config NAS IP: 10.10.10.1

*Oct 24 18:44:34.845: RADIUS/ENCODE(00000042): acct_session_id: 64

*Oct 24 18:44:34.845: RADIUS(00000042): sending

*Oct 24 18:44:34.845: RADIUS(00000042): Send Access-Request to 10.10.10.10:1645 id 1645/32, len 83

*Oct 24 18:44:34.845: RADIUS: authenticator C9 8E D8 DB 77 A3 95 D9 - B6 47 82 0D 76 80 BF 4E

*Oct 24 18:44:34.845: RADIUS: User-Name [1] 12 "vpn_user"

*Oct 24 18:44:34.845: RADIUS: User-Password [2] 18 *

*Oct 24 18:44:34.845: RADIUS: Calling-Station-Id [31] 15 "173.32.20.103"

*Oct 24 18:44:34.845: RADIUS: NAS-Port-Type [61] 6 Virtual [5]

*Oct 24 18:44:34.845: RADIUS: Service-Type [6] 6 Outbound [5]

*Oct 24 18:44:34.845: RADIUS: NAS-IP-Address [4] 6 10.10.10.1

*Oct 24 18:44:34.849: RADIUS: Received from id 1645/32 10.10.10.10:1645, Access-Reject, len 20

*Oct 24 18:44:34.849: RADIUS: authenticator D1 97 F0 44 BD 8C 73 53 - 00 D9 99 92 91 73 E5 08

*Oct 24 18:44:34.849: RADIUS(00000042): Received from id 1645/32

!

VPN authentication successful via Cisco router local but fails when I switch to windows 2008 NPS radius. Please advise what's wrong my windows 2008 NPS radius configuration.

Thanks in advance,

Jatin Katyal · ‎10-24-2009

Hi,

please add this nas-ip-address in the condition section along with the domain admin group.

NAS IPv4 address : 10.10.10.1

Now go to connection profile radius attribute > standard > add the following attributes

Name ------ Value

FramedProtocol : PPP

Service-type : Framed

Add the servicetype attrbute with value framed under the network policy > radius attribute > standard.

Now try again. If the above suggestion doesn't work. Then open event viewer and get the hit from there. You may see this in application.

HTH

JK

Plz rate helpful post-

~Jatin

cjrchoi11 · ‎10-24-2009

Hi JK,

No luck by adding the attributes but I found error in event log

**************

Log Name:Security

Source:Microsoft-Windows-Security-Auditing

Date:10/24/2009 4:52:31 PM

Event ID:6273

Task Category:Network Policy Server

Level:Information

Keywords:Audit Failure

User:N/A

Computer:AD.test.com

Description:

Network Policy Server denied access to a user.

User:

Security ID:NULL SID

Account Name:vpntest

Account Domain:test

Fully Qualified Account Name:test\vpntest

Client Machine:

Security ID:NULL SID

Account Name:-

Fully Qualified Account Name:-

OS-Version:-

Called Station Identifier:-

Calling Station Identifier:173.32.20.103

NAS:

NAS IPv4 Address:10.10.10.1

NAS IPv6 Address:-

NAS Identifier:-

NAS Port-Type:Virtual

NAS Port:-

RADIUS Client:

Client Friendly Name:vpn_server

Client IP Address:10.10.10.1

Authentication Details:Proxy Policy Name:Use Windows authentication for all users

Network Policy Name:-

Authentication Provider:Windows

Authentication Server:AD.test.com

Authentication Type:PAP

EAP Type:-

Account Session Identifier:-

Reason Code:16

Reason:Authentication was not successful because an unknown user name or incorrect password was used.

**************

Follows the Cisco router isakmp configuration.

!

crypto isakmp client configuration group vpntest

key Password1

pool pool_test

acl 100

netmask 255.255.255.0

!

I didn't create a user "vpntest" in windows 2008 AD but same result even I create the ID and password same as Cisco router's. I configured group user as name "gp_test" and applied into "Network Policies > windows group". "gp_test" has three members that agent1, agent2 and agent3.

Any clue why I have user authentication error?

Thanks, John

Jatin Katyal · ‎10-24-2009

Hi John,

See we are getting an error

Reason:Authentication was not successful because an unknown user name or incorrect password was used.

And as per the error message its clear that we tried with user name "vpntest".

You need to create a user "vpntest" in your AD database and this user should be a member of Domain Admins group on AD.

For a time being, I would suggest you to delete a condition for domain admin and keep only NAS ipv4 and try again.

Try again and let me know.

do get the error message from event viewer if issue persist.

HTH

JK

Plz rate helpful posts.

~Jatin

cjrchoi11 · ‎10-24-2009

Hi JK,

I deleted the exisitng condition "windows group" and added "NAS ipv4 10.10.10.1" but still I got same event log "Authentication was not successful because an unknown user name or incorrect password was used". joined the AD user "vpntest" to "Domain admin" group but same result.

Don't know why still complain user even I change to NAS ipv4 address.

Thanks - John

cjrchoi11 · ‎10-25-2009

authentication works okay after change the router authorization to local.

!

aaa authentication login user_auth group radius local

aaa authorization network group_auth local

!

Thanks - John