Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
542
Views
0
Helpful
5
Replies

VPN3000 with AD Authentication Problems

HEATH FREEL
Level 1
Level 1

‎07-31-2006 12:53 PM - edited ‎02-21-2020 10:16 AM

In the past I have set up many Authentication Servers to the Concentrator using NT Authentication. In many cases we tried AD authenticaton first, only to run into problems.

In the past the problem was always that new users were able to authenticate, but users in the AD before the VPN Concentrator was added were unable to log in.

I was just testing again and found that even new users cannot log in.

When I run the test in the Concentrator the message is "no response from server", however the Event Log of the AD server says Authentication Failure.

Does anyone have any ideas?

Thanks,

Labels:
0 Helpful
5 Replies 5

nefkensp
Level 5
Level 5

‎08-01-2006 02:55 AM

What you might want to check is that the new users are allowed to authenticate using remote access;

Check out the "Dial-in" tab on the properties of your user (via the AD Users & Computers MMC)

You could also change a group policy to audit security events and use the event-viewer to see why a user is denied access. It could also be that the vpn-concentrator is not part of the AD anymore, so authentication requests are denied and no response is sent back (happens with radius servers that receive requests from unknown clients as well)..

However, usually when I want to authenticate against an AD I use the Internat Authentication Service from Microsoft on one or more DC's and configure the PIX/VPN concentrator/IOS Router to authenticate using radius.

That way you can use debugging / logging on both devices to see what's wrong.

0 Helpful

HEATH FREEL
Level 1
Level 1
In response to nefkensp

‎08-01-2006 05:17 AM

Thanks for the response. The users are allowed dial in access - both new and existing.

When you say - "the vpn-concentrator is not part of the AD anymore" how do you make it part of AD - I know how that works with RADIUS and IAS, but I didn't think it was required in AD.

0 Helpful

nefkensp
Level 5
Level 5
In response to HEATH FREEL

‎08-01-2006 11:05 PM

In the VPN Concentrator there is an option to authenticate against a RADIUS server, but also directly to the Kerberos/NT Domain.

Now something comes to my mind, did you recently upgrade the AD to 2003 native mode (if you're using 2003)? It could be that the VPN concentrator authenticates as an NT server, which means that you should keep your AD in mixed mode / downgrade some security settings. I don't know which settings need some change, but it could be something that causes the current problem. If I remember correctly, check the encryption settings for authentication (e.g. disable strong encryption for the authentication somewhere in the group policy).

Hope this helps

PJ

0 Helpful

anmcdona
Cisco Employee
Cisco Employee

‎08-01-2006 07:30 AM

What protocol are you using/what type of authentication server is configured? You should be able to do kerberos directly to ad. NT may not work depending on your ad server config. If you turn up the authdbg event class (sev 1-9 to log) you should get a good idea of what the interaction is between the 3k and your ad server. User authentication via ldap to ad is not supported (authorization only and only with specific 3k schema loaded).

0 Helpful

zeller
Level 1
Level 1

‎08-02-2006 10:33 AM

I think there is a user attribute having to do with dialin that has to be set. At least that is true in the case of using an IAS server between ADS and the 3000.

Tom Zeller

Indiana University

0 Helpful
Customers Also Viewed These Support Documents