08-01-2006 06:17 AM - edited 02-21-2020 10:16 AM
I have recently upgraded our PIX OS 7.0(5). We are experiencing issues with remote access VPN clients. Phase 1 authentication occurs OK but the user authentication is failing on some accounts. The PIX authenticates against Active Directory.
The strange thing is that some accounts authenticate ok yet other do not. Looking at the accounts there are no obvious differences, all standard user accounts. If I set up a new account it will also work? From the debug kerberos output the only difference between a successful authentication and one that isn't is:
'Kerberos library reports: "unknown"'
Anybody any ideas?
TIA
08-01-2006 07:21 AM
One frequent cause of authentication failure is clock skew. Be sure that the clocks on the PIX or ASA and your authentication server are synchronized.
Also take a look here, using ASDM...
Hope this helps and if it does please rate post!!
:)
08-01-2006 08:17 AM
Hi Jay
Yeah, the whole clock skew problem I found during development so its not that I'm afraid. The strange thing is that this was tested against a test domain and worked fine. The other weird thing is that from the same remote client machine we can authenticate using one account but not the others.
I followed the document you listed during development.
Do you know if the PIX can actually authenticate directly against AD? I know I've done this in development but have the feeling I may have fluked something.
I'm a big PIX champion and have been trying to get this in instead of ISA Server. I finally proved that it can work against the domain (something that was required) and now it appears it doesn't work. I'm pretty gutted actually, though it could be a Windows issue?
08-01-2006 08:43 AM
08-02-2006 05:41 AM
Hi Jay
Had a look at that too. The whole reason for upgrading to PIX 7.0 was to get rid of intermediary authentication servers as the sales blurb states.
I'm sure its a Kerberos authentication problem looking at the debug because successful attempts to authenticate then through up LDAP debug as they go on to be authorised.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: