Re: VPN and windows NT4 password changes

colin.melhuish · ‎02-21-2001

we have receently set up a cisco 3030 concetrator using NT authentication. This works fine until your NT password expires and requests that you change the password. I get authentication failure and in the cisco event log it says "322 02/21/2001 11:50:19.290 SEV=3 AUTH/5 RPT=10 212.38.69.171 Authentication

rejected: Reason = Unspecifiedhandle = 44, server = 130.21.210.1, user =melhuic"

Any ideas?

dade-mchugh · ‎02-21-2001

Nothing to do with the authentication, and I do hope this information is mock.

Ooh and I would suggest that you don't advertise your server ip address' or valid userids.

colin.melhuish · ‎02-22-2001

I gave a false address to replace our address so that the error would make sense.

Any ideas on the password change request?

dade-mchugh · ‎02-22-2001

It may have something to do with the way NT authenticates LanManager (LM) clients, I'll try not to make this to long as you could write a book on this process alone.

Windows NT 4 >SP4 supports both LM and Windows NT Challenge\responce (NTLM), it can keep two versions of the same password in the SAM database. but if you change the password on a windows NT4 workstation the LM version is deleted under most conditions.

This may be a problem with a BSDI based device like the Cisco 3000's(I think it's BSDI based anyhow), as the 3000 most likely only uses the LM authentication (I think).

I suggest you install the latest RRAS onto the NT4 server and configure Radius on it and then reconfigure the 3000 to use radius as this should get around the LM auth problem (that is if it is the problem)

Good Luck