Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

PIX Xauth authenticating to W2K IAS Radius Server trouble

Hi.

I'm having problems with getting VPN aceess to work with my PIX 520 and a Windows 2000 IAS server.

Setup:

PIX:

Cisco 520 PIX with 6.0.1 software & VPN-DES

some of the the pix conf:

access-list acl_vpn2dmz permit ip [my_internal_network] [netmask] 10.2.2.0 255.255.255.0

ip local pool mypool 10.2.2.1-10.2.2.254

nat (dmz) 0 access-list acl_vpn2dmz

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server partnerauth protocol tacacs+

aaa-server Auth4VPN protocol radius

aaa-server Auth4VPN (inside) host [my_w2k_server] [my_secret_shared_key] timeout 5

crypto ipsec transform-set transsetdyn esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set transsetdyn

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap client configuration address initiate

crypto map mymap client configuration address respond

crypto map mymap client authentication Auth4VPN

crypto map mymap interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup myvpngroup address-pool mypool

vpngroup myvpngroup dns-server 192.168.1.2

vpngroup myvpngroup wins-server 192.168.1.3

vpngroup myvpngroup default-domain mydomain.dk

vpngroup myvpngroup idle-time 1800

vpngroup myvpngroup password ********

IAS server:

Windows 2000 Server SP2+hotfixes

Under clients:

a client with the ip-number of my PIX, with "Client-Vendor" set to "Cisco" and "Shared secret" to [my_secret_shared_key]

Under Remote Access Policies:

A policy with the "Windows-Groups" and "Grant remote acess permission". Under Edit Profile->Authentication have I added "Unencrypted Authentication (PAP, SPAP)".

Now here's the problem:

When I use the Cisco VPN Client (version 3.1) and connect to the PIX and tap in the userid ad password from my Windows NT domain the authentication fails.

The Windows NT Event says:

--- first entry ---

Event Type: Information

Event Source: IAS

Event Category: None

Event ID: 1

Date: 30-10-2001

Time: 12:49:16

User: N/A

Computer: [my_ias_server]

Description:

User MYUSER was granted access.

Fully-Qualified-User-Name = MYDOM\MYUSER

NAS-IP-Address = [ip-adr-of-my-pix]

NAS-Identifier = <not present>

Client-Friendly-Name = pixfirewall

Client-IP-Address = [ip-adr-of-my-pix]

NAS-Port-Type = <not present>

NAS-Port = 5

Policy-Name = [my_policy]

Authentication-Type = PAP

EAP-Type = <undetermined>

--- second entry ---

Event Type: Warning

Event Source: IAS

Event Category: None

Event ID: 2

Date: 30-10-2001

Time: 12:49:16

User: N/A

Computer: [my_ias_server]

Description:

User MYUSER was denied access.

Fully-Qualified-User-Name = MYDOM\MYUSER

NAS-IP-Address = [ip-adr-of-my-pix]

NAS-Identifier = <not present>

Called-Station-Identifier = <not present>

Calling-Station-Identifier = <not present>

Client-Friendly-Name = pixfirewall

Client-IP-Address = [ip-adr-of-my-pix]

NAS-Port-Type = <not present>

NAS-Port = 5

Policy-Name = <undetermined>

Authentication-Type = <undetermined>

EAP-Type = <undetermined>

Reason-Code = 16

Reason = There was an authentication failure because of an unknown user name or a bad password.

---

What goes wrong?

It seams that the IAS gets something right and something wrong?

Please, any help would be great!

Best regards,

Bjarne Saltbaek, Tech. Support

1 REPLY
New Member

Re: PIX Xauth authenticating to W2K IAS Radius Server trouble

Recently I found that I could not use PIX RADIUS to authenticate with IAS until I enabled the EAP checkbox with MD5 on the IAS profile. I also found that I had to uncheck the forceful checking of the shared key to get it to work. I was unable to successfully authenticate until I did this.

If you find a better way than that please let me know!

Thanks,

Josh

346
Views
0
Helpful
1
Replies
CreatePlease to create content