Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Pix 6.3 VPN auth to IAS 2003, Fails?


I've got a pix501 runing 6.3 software and an Windows Server 2003 running Active Directory and IAS for my RADIUS service. I've configured many Windows 2000/Pix RADIUS setups in the past and have had no real problems, yet I have yet to be able to get a working Server2003/Pix setup working. Is there something fundamentally different between IAS 2000 and IAS 2003? Here is my pix config;

aaa-server RADIUS (inside) host 105vankirkanx_ timeout 10

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap2 20 ipsec-isakmp dynamic dynmap

crypto map mymap2 client authentication RADIUS

crypto map mymap2 interface outside-internet

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup butchervpn address-pool ippool

vpngroup butchervpn dns-server

vpngroup butchervpn wins-server

vpngroup butchervpn default-domain lauzon

vpngroup butchervpn split-tunnel 101

vpngroup butchervpn idle-time 86400

vpngroup butchervpn password ********

And for the IAS 2003 side of things, I've followed this guide;

I know the VPN works because I can switch the auth to LOCAL and VPN in fine with local users. This is the same pix code/setup I've used on IAS 2000 servers and it has always worked fine. Can anyone provide any help with this? Thanks


New Member

Re: Pix 6.3 VPN auth to IAS 2003, Fails?

I am not sure if this is related but I've run into an issue recently where I had a VPN solution working through an ASA 5510 w/RADIUS using an IAS 2003 server. The box IAS was running on was 2003 server SP1. As soon as the customer upgraded to SP2, the integration stopped working. From looking at the logs, the IAS service seems to be fine, it is logging successful authentications. However, the client software just times out after the user submits their active directory username and password.

I've got a TAC case open, and I hope to get some answers today.