Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

VPN Authentication problems

Unanswered Question
Aug 1st, 2006
User Badges:

I have recently upgraded our PIX OS 7.0(5). We are experiencing issues with remote access VPN clients. Phase 1 authentication occurs OK but the user authentication is failing on some accounts. The PIX authenticates against Active Directory.

The strange thing is that some accounts authenticate ok yet other do not. Looking at the accounts there are no obvious differences, all standard user accounts. If I set up a new account it will also work? From the debug kerberos output the only difference between a successful authentication and one that isn't is:

'Kerberos library reports: "unknown"'

Anybody any ideas?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2 (1 ratings)
g.leonard Tue, 08/01/2006 - 08:17
User Badges:

Hi Jay

Yeah, the whole clock skew problem I found during development so its not that I'm afraid. The strange thing is that this was tested against a test domain and worked fine. The other weird thing is that from the same remote client machine we can authenticate using one account but not the others.

I followed the document you listed during development.

Do you know if the PIX can actually authenticate directly against AD? I know I've done this in development but have the feeling I may have fluked something.

I'm a big PIX champion and have been trying to get this in instead of ISA Server. I finally proved that it can work against the domain (something that was required) and now it appears it doesn't work. I'm pretty gutted actually, though it could be a Windows issue?

g.leonard Wed, 08/02/2006 - 05:41
User Badges:

Hi Jay

Had a look at that too. The whole reason for upgrading to PIX 7.0 was to get rid of intermediary authentication servers as the sales blurb states.

I'm sure its a Kerberos authentication problem looking at the debug because successful attempts to authenticate then through up LDAP debug as they go on to be authorised.


This Discussion