Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
916
Views
0
Helpful
3
Replies

ASA, Microsoft VPN client and Active Directory again

nkaretnikov
Level 1
Level 1

‎01-19-2009 06:47 AM

Hell!

I've successfully setup ASA5510 + VPN client + Local author+authen, checked if VPN tunnel is established and it was. Then I followed http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008060f261.shtml to setup Kerberos authentication + LDAP authorization, I checked the time settings and Preauthorization in AD for the test vpn user, then I tested both functions. It worked.

However, when I try to establish VPN connection using the very same username as when I test from ASDM, I get the following output in the Real Time Log Viewer

4|Jan 19 2009|17:36:11|713903|||||Group = DefaultRAGroup, IP = 195.128.91.24, Information Exchange processing failed

4|Jan 19 2009|17:36:01|113019|||||Group = DefaultRAGroup, Username = , IP = 195.128.91.24, Session disconnected. Session Type: IPsecOverNatT, Duration: 0h:00m:02s, Bytes xmt: 800, Bytes rcv: 1098, Reason: L2TP initiated

6|Jan 19 2009|17:36:01|602304|||||IPSEC: An outbound remote access SA (SPI= 0x0F05B74A) between 195.128.91.254 and 195.128.91.24 (user= DefaultRAGroup) has been deleted.

6|Jan 19 2009|17:36:01|602304|||||IPSEC: An inbound remote access SA (SPI= 0xCCD70173) between 195.128.91.254 and 195.128.91.24 (user= DefaultRAGroup) has been deleted.

6|Jan 19 2009|17:36:01|603107|||||L2TP Tunnel deleted, tunnel_id = 82, remote_peer_ip = 195.128.91.24

6|Jan 19 2009|17:36:01|603106|||||L2TP Tunnel created, tunnel_id is 82, remote_peer_ip is 195.128.91.24

4|Jan 19 2009|17:36:01|737013|||||IPAA: Error freeing address 0.0.0.0, not found

6|Jan 19 2009|17:36:01|113005|||||AAA user authentication Rejected : reason = Unspecified : server = 192.168.91.25 : user = vpnclient

6|Jan 19 2009|17:36:00|302015|192.168.91.25|88|192.168.91.11|61682|Built outbound UDP connection 842 for inside:192.168.91.25/88 (192.168.91.25/88) to identity:192.168.91.11/61682 (192.168.91.11/61682)

6|Jan 19 2009|17:36:00|302015|195.128.91.24|1753|195.128.91.254|1701|Built inbound UDP connection 841 for outside:195.128.91.24/1753 (195.128.91.24/1753) to identity:195.128.91.254/1701 (195.128.91.254/1701)

5|Jan 19 2009|17:35:59|713120|||||Group = DefaultRAGroup, IP = 195.128.91.24, PHASE 2 COMPLETED (msgid=d365e0c5)

6|Jan 19 2009|17:35:59|602303|||||IPSEC: An inbound remote access SA (SPI= 0xCCD70173) between 195.128.91.254 and 195.128.91.24 (user= DefaultRAGroup) has been created.

5|Jan 19 2009|17:35:59|713049|||||Group = DefaultRAGroup, IP = 195.128.91.24, Security negotiation complete for User () Responder, Inbound SPI = 0xccd70173, Outbound SPI = 0x0f05b74a

6|Jan 19 2009|17:35:59|602303|||||IPSEC: An outbound remote access SA (SPI= 0x0F05B74A) between 195.128.91.254 and 195.128.91.24 (user= DefaultRAGroup) has been created.

6|Jan 19 2009|17:35:59|713177|||||Group = DefaultRAGroup, IP = 195.128.91.24, Received remote Proxy Host FQDN in ID Payload: Host Name: ws-nsk02.compumark.lexmark.ru Address 195.128.91.24, Protocol 17, Port 1701

5|Jan 19 2009|17:35:59|713119|||||Group = DefaultRAGroup, IP = 195.128.91.24, PHASE 1 COMPLETED

6|Jan 19 2009|17:35:59|113009|||||AAA retrieved default group policy (DefaultRAGroup) for user = DefaultRAGroup

4|Jan 19 2009|17:35:59|713903|||||Group = DefaultRAGroup, IP = 195.128.91.24, Freeing previously allocated memory for authorization-dn-attributes

6|Jan 19 2009|17:35:59|713172|||||Group = DefaultRAGroup, IP = 195.128.91.24, Automatic NAT Detection Status: Remote end IS behind a NAT device This end is NOT behind a NAT device

If I switch back to local authentication and authorization VPN clients get connected without any problem.

Why is the reason unspecified and what else should I check?

Thank you!

Labels:
Preview file
2 KB
0 Helpful
3 Replies 3

Ivan Martinon
Level 7
Level 7

‎01-19-2009 09:52 AM

Can you go ahead and set the tunnel ppp attributes to be PAP instead of mschap v2 and try again? if that does not work then go ahead and set debug kerberos 128 and upload the debugs. Also make sure your client is set to pap when testing this l2tp connection.

0 Helpful

nkaretnikov
Level 1
Level 1
In response to Ivan Martinon

‎01-20-2009 12:19 AM

Thank you!

I've tried PAP and it worked without any problem. Then I switched back to MS-CHAP-V2 and it didn't. Setting debug kerberos 128 lead to the following output while VPN client reporting "Verifying username and password" and the last 2 strings seem continue on the console until I force "exit" command in the terminal session.

Do you have any ideas what goes wrong here?

Thank you!

Preview file
5 KB
0 Helpful

Ivan Martinon
Level 7
Level 7
In response to nkaretnikov

‎01-20-2009 07:53 AM

I am not entirely sure if Kerberos as a protocol supports mschap v2 hashing that's why when setting it to PAP it worked fine. I would go ahead and check the settings on your AD server to verify whether mschapv2 is accepted by it.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents