Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Cisco 3005 with Windows 2003 IAS

Trying to get a Cisco VPN 3005 to authenticate users on a Windows 2003 IAS service with password Expiry.

Have set up VPN 3005 and IAS using info linked below.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00800c3917.shtml

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a0080094700.shtml

Problem is we see within IAS the user authenticating succesfully. However, the connection fails and the VPN 3005 log shows:

33700 03/07/2007 14:52:32.330 SEV=3 AUTH/5 RPT=8046

Authentication rejected: Reason = Unspecified

handle = 424, server = 10.1.96.38, user = mark.wright, domain = <not specified>

Any tips on what could be the issue?

9 REPLIES
Cisco Employee

Re: Cisco 3005 with Windows 2003 IAS

Hi Mark,

Are you able to test the user authentication successfully, meaning, when you goto authentication servers and select the RADIUS server and click test, enter the username and password, does it happen or not?

Regards,

Kamal

Green

Re: Cisco 3005 with Windows 2003 IAS

Check your IAS logs on the server, that should get you started.

New Member

Re: Cisco 3005 with Windows 2003 IAS

Extract from IAS logs

10.0.1.5,mark.wright,03/07/2007,04:45:16,IAS,VANAD03,26,0x00000C0420060000000C,4,10.0.1.5,61,5,4108,10.0.1.5,4116,9,4128,Concentrator,4155,1,4154,Use Windows authentication for all users,4129,NA\mark.wright,4130,NA\mark.wright,4127,1,25,311 1 10.1.96.38 08/13/2006 10:17:48 22,4136,1,4142,0

10.0.1.5,mark.wright,03/07/2007,04:45:16,IAS,VANAD03,25,311 1 10.1.96.38 08/13/2006 10:17:48 22,4127,1,4130,NA\mark.wright,4129,NA\mark.wright,4154,Use Windows authentication for all users,4108,10.0.1.5,4116,9,4128,Concentrator,4155,1,4136,3,4142,16

10.0.1.5,mark.wright,03/07/2007,04:47:24,IAS,VANAD03,26,0x00000C0420060000000C,4,10.0.1.5,61,5,4108,10.0.1.5,4116,9,4128,Concentrator,4155,1,4154,Use Windows authentication for all users,4129,NA\mark.wright,4130,NA\mark.wright,4127,1,25,311 1 10.1.96.38 08/13/2006 10:17:48 23,4136,1,4142,0

10.0.1.5,mark.wright,03/07/2007,04:47:24,IAS,VANAD03,25,311 1 10.1.96.38 08/13/2006 10:17:48 23,4127,1,4130,NA\mark.wright,4129,NA\mark.wright,4154,Use Windows authentication for all users,4108,10.0.1.5,4116,9,4128,Concentrator,4155,1,4136,3,4142,16

New Member

Re: Cisco 3005 with Windows 2003 IAS

Testing from the Concentrator results in a failure. However viewing the IAS logs for the test it indicates the attempt was succesful.

Cisco Employee

Re: Cisco 3005 with Windows 2003 IAS

Hi Mark,

I'm not sure but does you server expect a domain_name\username format? If yes, are we trying in the same format?

Regards,

Kamal

Green

Re: Cisco 3005 with Windows 2003 IAS

Another guess, I think password expiry requires mschap v2. Is that allowed in the remote access policy on IAS server?

New Member

Re: Cisco 3005 with Windows 2003 IAS

Kamal,

I don't believe so.

The IAS Event View shows the attempt without the domain\ as a Success.

I still fail with domain\username but don't have access now to IAS to verify if that showed as a success or failure.

Thanks,

Mark

Cisco Employee

Re: Cisco 3005 with Windows 2003 IAS

Can you check on IAS if the user' are allowed with "Dial-in " access permissions, in Remote Access policy.

Check if this is allowed on per user basis or on group basis.

-Kanishka

New Member

Re: Cisco 3005 with Windows 2003 IAS

This was resolved - turned out 'RADIUS w/ Password Expiry' and not been set in the Group.

Thanks All.

160
Views
0
Helpful
9
Replies
CreatePlease to create content