Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
742
Views
2
Helpful
4
Replies

VPN Authentication problems

g.leonard
Level 1
Level 1

‎08-01-2006 06:17 AM - edited ‎02-21-2020 10:16 AM

I have recently upgraded our PIX OS 7.0(5). We are experiencing issues with remote access VPN clients. Phase 1 authentication occurs OK but the user authentication is failing on some accounts. The PIX authenticates against Active Directory.

The strange thing is that some accounts authenticate ok yet other do not. Looking at the accounts there are no obvious differences, all standard user accounts. If I set up a new account it will also work? From the debug kerberos output the only difference between a successful authentication and one that isn't is:

'Kerberos library reports: "unknown"'

Anybody any ideas?

TIA

Labels:
0 Helpful
4 Replies 4

jmia
Level 7
Level 7

‎08-01-2006 07:21 AM

One frequent cause of authentication failure is clock skew. Be sure that the clocks on the PIX or ASA and your authentication server are synchronized.

Also take a look here, using ASDM...

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008060f261.shtml

Hope this helps and if it does please rate post!!

:)

0 Helpful

g.leonard
Level 1
Level 1
In response to jmia

‎08-01-2006 08:17 AM

Hi Jay

Yeah, the whole clock skew problem I found during development so its not that I'm afraid. The strange thing is that this was tested against a test domain and worked fine. The other weird thing is that from the same remote client machine we can authenticate using one account but not the others.

I followed the document you listed during development.

Do you know if the PIX can actually authenticate directly against AD? I know I've done this in development but have the feeling I may have fluked something.

I'm a big PIX champion and have been trying to get this in instead of ISA Server. I finally proved that it can work against the domain (something that was required) and now it appears it doesn't work. I'm pretty gutted actually, though it could be a Windows issue?

0 Helpful

g.leonard
Level 1
Level 1
In response to jmia

‎08-02-2006 05:41 AM

Hi Jay

Had a look at that too. The whole reason for upgrading to PIX 7.0 was to get rid of intermediary authentication servers as the sales blurb states.

I'm sure its a Kerberos authentication problem looking at the debug because successful attempts to authenticate then through up LDAP debug as they go on to be authorised.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents