Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1424
Views
7
Helpful
6
Replies

VPN Authentication against Windows 2000 Mixed-Mode Server

mattcooling
Level 1
Level 1

‎07-02-2003 06:50 AM - edited ‎02-21-2020 10:07 AM

I have a client with a VPN 3005 concentrator, and they want to authenticate against their Windows 2000 Active Directory. However, the AD servers are running in Mixed-mode.

I have tried to configure the VPN 3005 concentrator to authenticate against the AD server, and although it recognises the domain and username, it will not authenticate (I always get an 'invalid password' message). Has anyone else experienced a similar problem/got this working?

Regards,

Matt

Labels:
0 Helpful
6 Replies 6

mostiguy
Level 6
Level 6

‎07-02-2003 11:31 AM

Mixed mode shouldn't matter - that really only changes the ability of NT 4 BDCs to function. Downlevel clients should not be impacted, as win2k native and mixed mode both grok NTLM authentication.

Are you specifying the AD server as a "nt domain" type under authentication?

I didn't have a problem at all as I have upgraded from nt 4 to win2k mixed mode to win2k native mode - the 30xx never flinched. I am not running the 4.0 code, which might be more AD aware.

mattcooling
Level 1
Level 1
In response to mostiguy

‎07-03-2003 04:21 AM

Hi,

I've specified the Authentication type as 'Kerberos/Active Directory', which is what causes the problem.

I can get it working by specifying 'NT domain' as the authentication type; however, this doesn't allow me to control *which* users can access the VPN.

Is there any way to get a mixed-mode controller to work using AD authentication, or alternatively, any way of controlling which users can access the VPN when using 'NT domain' authentication.

Many thanks,

Matt

0 Helpful

mostiguy
Level 6
Level 6
In response to mattcooling

‎07-03-2003 05:01 AM

That is odd. I can;t think of anything kerberos / AD related that changes via the switch to native mode.

If you are using digital certs, you can use group matching rules under "Policy Matching" rules. This can probably get unwieldy, and would be nowhere as easy as using nt/ad groups, although I haven't played with the kerberos/ad auth features yet.

I would open a case with TAC - I truly cannot think of *any* reason why there would be a problem with mixed mode.

mattcooling
Level 1
Level 1
In response to mostiguy

‎07-03-2003 05:33 AM

OK - thanks for your help anyway. It's really appreciated.

Cheers,

Matt

0 Helpful

zeller
Level 1
Level 1
In response to mattcooling

‎07-10-2003 01:27 PM

My VPN 3060 is authenticating using Microsoft's IAS RADIUS. In this case the Active Directory attribute controlling RAS access is used to control authentication.

Tom Zeller

Indiana University

812-855-6214

zeller@indiana.edu

0 Helpful

mattcooling
Level 1
Level 1
In response to zeller

‎07-11-2003 12:55 AM

Hi, and thanks for your reply.

I'm not sure if this is the same situation in which I am running. Can you confirm if the Active Directory is running in Mixed Mode?

Regards,

Matt

0 Helpful
Customers Also Viewed These Support Documents