IOS VPN authenticaiton via w2k3 IAS radius

Unanswered Question
Oct 25th, 2009
User Badges:


I able to VPN authentication via 2851 local but fail when switch to w2k3 IAS. I referred the URL but no luck to figure out.

1. 2851 router configuration


aaa new-model


aaa authentication login user_auth group radius local

aaa authorization network group_auth group radius local


ip domain name


username cisco privilege 15 password 7 030752180500

username lab privilege 15 password 7 12150415


crypto isakmp policy 1

encr 3des

authentication pre-share

group 2


crypto isakmp client configuration group vpnfamily

key Password1

pool pool_family

acl 100



crypto ipsec transform-set trans_family esp-3des esp-sha-hmac


crypto dynamic-map dynmap 10

set transform-set trans_family



crypto map clientmap client authentication list user_auth

crypto map clientmap isakmp authorization list group_auth

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap


radius-server host auth-port 1645 acct-port 1646 key 7 03550958525A

2. w2k3 IAS event log


User vpnfamily was denied access.

Fully-Qualified-User-Name = INFRA\vpnfamily

NAS-IP-Address =

NAS-Identifier = <not present>

Called-Station-Identifier = <not present>

Calling-Station-Identifier =

Client-Friendly-Name = vpn client

Client-IP-Address =

NAS-Port-Type = Virtual

NAS-Port = <not present>

Proxy-Policy-Name = Use Windows authentication for all users

Authentication-Provider = Windows

Authentication-Server = <undetermined>

Policy-Name = <undetermined>

Authentication-Type = PAP

EAP-Type = <undetermined>

Reason-Code = 16

Reason = Authentication was not successful because an unknown user name or incorrect password was used.


I configured IAS "Radius clinets" and "Remote access policies with NAS IP address" properly. what other should I configured in IAS?

As per event log denied the user "vpnfamily" which is VPN group name in 2851 router. I configured this in w2k3 AD but no luck - got same event log

Looks the referred URL's IAS box is not AD server since it using local user but mine is same box the IAS and AD. Do I need different box the IAS from AD?

How to resolve the user deny issue?

Advise please!!!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
cjrchoi11 Sun, 10/25/2009 - 12:20
User Badges:

As per w2k3 sniffer trace, 2851 requesting with user=vpnfamily and encrypted password. The password "Password1" which is VPN group's key sending to IAS?

->I have "vpnfamily" with password "Password1" but no luck

Event log shows "Fully-Qualified-User-Name = INFRA\vpnfamily". INFRA is AD NetBIOS name. 2851 router's domain name is ""

->Is this something wrong?

cjrchoi11 Sun, 10/25/2009 - 13:58
User Badges:

Its router configuration issue for the authenticaiton. works okay after change the authorization to local.


aaa authentication login user_auth group radius local

aaa authorization network group_auth local


This Discussion