Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

VPN3000 with AD Authentication Problems

In the past I have set up many Authentication Servers to the Concentrator using NT Authentication. In many cases we tried AD authenticaton first, only to run into problems.

In the past the problem was always that new users were able to authenticate, but users in the AD before the VPN Concentrator was added were unable to log in.

I was just testing again and found that even new users cannot log in.

When I run the test in the Concentrator the message is "no response from server", however the Event Log of the AD server says Authentication Failure.

Does anyone have any ideas?

Thanks,

5 REPLIES
New Member

Re: VPN3000 with AD Authentication Problems

What you might want to check is that the new users are allowed to authenticate using remote access;

Check out the "Dial-in" tab on the properties of your user (via the AD Users & Computers MMC)

You could also change a group policy to audit security events and use the event-viewer to see why a user is denied access. It could also be that the vpn-concentrator is not part of the AD anymore, so authentication requests are denied and no response is sent back (happens with radius servers that receive requests from unknown clients as well)..

However, usually when I want to authenticate against an AD I use the Internat Authentication Service from Microsoft on one or more DC's and configure the PIX/VPN concentrator/IOS Router to authenticate using radius.

That way you can use debugging / logging on both devices to see what's wrong.

New Member

Re: VPN3000 with AD Authentication Problems

Thanks for the response. The users are allowed dial in access - both new and existing.

When you say - "the vpn-concentrator is not part of the AD anymore" how do you make it part of AD - I know how that works with RADIUS and IAS, but I didn't think it was required in AD.

New Member

Re: VPN3000 with AD Authentication Problems

In the VPN Concentrator there is an option to authenticate against a RADIUS server, but also directly to the Kerberos/NT Domain.

Now something comes to my mind, did you recently upgrade the AD to 2003 native mode (if you're using 2003)? It could be that the VPN concentrator authenticates as an NT server, which means that you should keep your AD in mixed mode / downgrade some security settings. I don't know which settings need some change, but it could be something that causes the current problem. If I remember correctly, check the encryption settings for authentication (e.g. disable strong encryption for the authentication somewhere in the group policy).

Hope this helps

PJ

Cisco Employee

Re: VPN3000 with AD Authentication Problems

What protocol are you using/what type of authentication server is configured? You should be able to do kerberos directly to ad. NT may not work depending on your ad server config. If you turn up the authdbg event class (sev 1-9 to log) you should get a good idea of what the interaction is between the 3k and your ad server. User authentication via ldap to ad is not supported (authorization only and only with specific 3k schema loaded).

New Member

Re: VPN3000 with AD Authentication Problems

I think there is a user attribute having to do with dialin that has to be set. At least that is true in the case of using an IAS server between ADS and the 3000.

Tom Zeller

Indiana University

137
Views
0
Helpful
5
Replies
CreatePlease to create content