IOS VPN authenticaiton via w2k3 IAS radius

Unanswered Question
Oct 25th, 2009

Hi,

I able to VPN authentication via 2851 local but fail when switch to w2k3 IAS. I referred the URL but no luck to figure out.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806de37e.shtml

1. 2851 router configuration

!

aaa new-model

!

aaa authentication login user_auth group radius local

aaa authorization network group_auth group radius local

!

ip domain name family.com

!

username cisco privilege 15 password 7 030752180500

username lab privilege 15 password 7 12150415

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group vpnfamily

key Password1

pool pool_family

acl 100

netmask 255.255.255.0

!

crypto ipsec transform-set trans_family esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set trans_family

reverse-route

!

crypto map clientmap client authentication list user_auth

crypto map clientmap isakmp authorization list group_auth

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

radius-server host 10.10.10.222 auth-port 1645 acct-port 1646 key 7 03550958525A

2. w2k3 IAS event log

!

User vpnfamily was denied access.

Fully-Qualified-User-Name = INFRA\vpnfamily

NAS-IP-Address = 10.10.10.1

NAS-Identifier = <not present>

Called-Station-Identifier = <not present>

Calling-Station-Identifier = 216.191.202.3

Client-Friendly-Name = vpn client

Client-IP-Address = 10.10.10.1

NAS-Port-Type = Virtual

NAS-Port = <not present>

Proxy-Policy-Name = Use Windows authentication for all users

Authentication-Provider = Windows

Authentication-Server = <undetermined>

Policy-Name = <undetermined>

Authentication-Type = PAP

EAP-Type = <undetermined>

Reason-Code = 16

Reason = Authentication was not successful because an unknown user name or incorrect password was used.

!

I configured IAS "Radius clinets" and "Remote access policies with NAS IP address" properly. what other should I configured in IAS?

As per event log denied the user "vpnfamily" which is VPN group name in 2851 router. I configured this in w2k3 AD but no luck - got same event log

Looks the referred URL's IAS box is not AD server since it using local user but mine is same box the IAS and AD. Do I need different box the IAS from AD?

How to resolve the user deny issue?

Advise please!!!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
cjrchoi11 Sun, 10/25/2009 - 12:20

As per w2k3 sniffer trace, 2851 requesting with user=vpnfamily and encrypted password. The password "Password1" which is VPN group's key sending to IAS?

->I have "vpnfamily" with password "Password1" but no luck

Event log shows "Fully-Qualified-User-Name = INFRA\vpnfamily". INFRA is AD NetBIOS name. 2851 router's domain name is "family.com"

->Is this something wrong?

cjrchoi11 Sun, 10/25/2009 - 13:58

Its router configuration issue for the authenticaiton. works okay after change the authorization to local.

!

aaa authentication login user_auth group radius local

aaa authorization network group_auth local

Actions

This Discussion