Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco VPN Client Authenticate Against IAS

I am trying to authenticate our VPN users againts our IAS server. But I keep receiving the following warning in the System log of the server.

User TEST was denied access.

Fully-Qualified-User-Name = TESTDOMAIN\TEST

NAS-IP-Address =

NAS-Identifier = <not present>

Called-Station-Identifier = <not present>

Calling-Station-Identifier =

Client-Friendly-Name = Cisco Router

Client-IP-Address =

NAS-Port-Type = Virtual

NAS-Port = 0

Proxy-Policy-Name = Use Windows authentication for all users

Authentication-Provider = Windows

Authentication-Server = <undetermined>

Policy-Name = <undetermined>

Authentication-Type = PAP

EAP-Type = <undetermined>

Reason-Code = 16

Reason = Authentication was not successful because an unknown user name or incorrect password was used.

The user it is trying to authenticate is the name of the group authentication name. It is not even getting passed the group authentication stage because if this.

Any Help?

The only way I have got it to work at the minute is to set the authentication option in the connection request policy to Accept Users Without Validating Credentials. Obviously I am not going to keep this setting as it defeats the point of the object.

  • VPN
12 REPLIES
Cisco Employee

Cisco VPN Client Authenticate Against IAS

Please ensure that the shared secret key configured on both the IAS server and the router is exactly the same.

Also, please configure the NAS-IP-Address as the router interface ip address where the IAS server is connected.

New Member

Re: Cisco VPN Client Authenticate Against IAS

The shared secret is OK as I have been able to get it to work when logging into the router with an Active Directory account. The NAS-IP-Address is fine as well.

Should it be trying to authenticate the VPN group username?

Cisco Employee

Re: Cisco VPN Client Authenticate Against IAS

No, not the group name, the group password should be the pre-shared key that you configured on the router.

Once it passes through that stage, it will prompt you for a username and password and that would be the user from the IAS server.

New Member

Re: Cisco VPN Client Authenticate Against IAS

Below is a debug from when I try to authenticate. The User-Name in the debug is referring to the group name.

183742: *May 17 09:18:37: AAA/AUTHOR: auth_need : user= 'username' ruser= 'username'rem_addr= 'IPADDRESS' priv= 15 list= '' AUTHOR-TYPE= 'command'

183743: *May 17 09:18:43: AAA/BIND(000000CB): Bind i/f 

183744: *May 17 09:18:44: AAA/AUTHOR (0xCB): Pick method list 'groupauthor'

183745: *May 17 09:18:44: RADIUS/ENCODE(000000CB):Orig. component type = VPN_IPSEC

183746: *May 17 09:18:44: RADIUS:  AAA Unsupported Attr: interface         [175] 12 

183747: *May 17 09:18:44: RADIUS:   38 32 2E 36 38 2E 34 35 2E 31                    [82.68.45.1]

183748: *May 17 09:18:44: RADIUS(000000CB): Config NAS IP: 0.0.0.0

183749: *May 17 09:18:44: RADIUS/ENCODE(000000CB): acct_session_id: 203

183750: *May 17 09:18:44: RADIUS(000000CB): sending

183751: *May 17 09:18:44: RADIUS/ENCODE: Best Local IP-Address IPADDRESS for Radius-Server IPADDRESS

183752: *May 17 09:18:44: RADIUS(000000CB): Send Access-Request to IPADDRESS:1645 id 1645/71, len 97

183753: *May 17 09:18:44: RADIUS:  authenticator DC E3 B5 5A 66 5E 60 4A - 4F 85 E0 25 17 2E AF 0B

183754: *May 17 09:18:44: RADIUS:  User-Name           [1]   9   "username"

183755: *May 17 09:18:44: RADIUS:  User-Password       [2]   18  *

183756: *May 17 09:18:44: RADIUS:  Calling-Station-Id  [31]  12  "IPADDRESS"

183757: *May 17 09:18:44: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]

183758: *May 17 09:18:44: RADIUS:  NAS-Port            [5]   6   1                        

183759: *May 17 09:18:44: RADIUS:  NAS-Port-Id         [87]  14  "IPADDRESS"

183760: *May 17 09:18:44: RADIUS:  Service-Type        [6]   6   Outbound                  [5]

183761: *May 17 09:18:44: RADIUS:  NAS-IP-Address      [4]   6   IPADDRESS            

183762: *May 17 09:18:44: RADIUS: Received from id 1645/71 IPADDRESS:1645, Access-Reject, len 20

183763: *May 17 09:18:44: RADIUS:  authenticator 28 C0 F9 47 34 81 7B 59 - 5A C6 B9 BC 11 AA 1D 83

183764: *May 17 09:18:44: RADIUS(000000CB): Received from id 1645/71

183765: *May 17 09:18:44: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from IPADDRESS was not encrypted and it should've been.

183766: *May 17 09:18:44: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from IPADDRESS was not encrypted and it should've been.

Cisco Employee

Re: Cisco VPN Client Authenticate Against IAS

Sorry, not sure why your User-Name is the group name. The User-Name should be the username that you are trying to authenticate, not the group name.

Can you please share your current router config, and also when you VPN, after you try to connect, do you get prompted to enter username and password?

New Member

Re: Cisco VPN Client Authenticate Against IAS

I do not get asked for a username and password.

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime

service timestamps log datetime localtime

service password-encryption

service sequence-numbers

!

hostname testroute

!

boot-start-marker

boot system flash:c180x-advipservicesk9-mz.124-24.T4.bin

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging message-counter syslog

logging buffered 1000000

enable secret 5

!

aaa new-model

!

!

aaa authentication login default group radius local

aaa authentication login sdm_vpn_xauth_ml_1 local

aaa authentication login userauthen group radius

aaa authorization exec default group radius if-authenticated

aaa authorization network sdm_vpn_group_ml_1 local

aaa authorization network groupauthor group radius

aaa accounting exec default

action-type start-stop

group radius

!

aaa accounting system default

action-type start-stop

group radius

!

!

!

aaa session-id common

clock timezone GMT 1

clock summer-time PCTime date Mar 27 2011 1:00 Oct 31 2011 2:00

!

crypto pki trustpoint TP-self-signed-

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-

revocation-check none

rsakeypair TP-self-signed-

!

!

crypto pki certificate chain TP-self-signed-

certificate self-signed 01

      quit

dot11 syslog

no ip source-route

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address

!

ip dhcp pool test

   network

   default-router

   dns-server

!

!

ip cef

ip domain name test.co.uk

ip name-server

ip name-server

ip name-server

ip ips notify SDEE

ip ips name sdm_ips_rule

ip inspect log drop-pkt

ip inspect one-minute high 3000

ip inspect one-minute low 2250

ip inspect name SDM_LOW cuseeme

ip inspect name SDM_LOW dns

ip inspect name SDM_LOW ftp

ip inspect name SDM_LOW h323

ip inspect name SDM_LOW icmp

ip inspect name SDM_LOW imap

ip inspect name SDM_LOW pop3

ip inspect name SDM_LOW netshow

ip inspect name SDM_LOW rcmd

ip inspect name SDM_LOW realaudio

ip inspect name SDM_LOW rtsp

ip inspect name SDM_LOW sqlnet

ip inspect name SDM_LOW streamworks

ip inspect name SDM_LOW tftp

ip inspect name SDM_LOW vdolive

ip inspect name SDM_LOW tcp

ip inspect name SDM_LOW esmtp max-data 30000000 timeout 3600

ip inspect name SDM_LOW http timeout 3600

ip inspect name SDM_HIGH appfw SDM_HIGH

ip inspect name SDM_HIGH icmp

ip inspect name SDM_HIGH dns

ip inspect name SDM_HIGH https timeout 3600

ip inspect name SDM_HIGH imap reset

ip inspect name SDM_HIGH pop3 reset

ip inspect name SDM_HIGH ftp

ip inspect name SDM_HIGH ntp

ip inspect name SDM_HIGH esmtp max-data 30000000 timeout 3600

ip inspect name SDM_HIGH http timeout 3600

ip inspect name test_DMZ http

ip inspect name test_DMZ bootpc

ip inspect name test_DMZ bootps

ip inspect name test_DMZ smtp

ip inspect name test_DMZ pop3

ip inspect name test_DMZ https

ip inspect name test-DMZ dns

ip urlfilter max-request 5000

ip urlfilter max-resp-pak 1000

ip urlfilter cache 50000

no ipv6 cef

!

appfw policy-name SDM_LOW

  application http

    port-misuse p2p action reset alarm

!

appfw policy-name SDM_HIGH

  application im aol

    service default action reset alarm

    service text-chat action reset alarm

    server deny name login.oscar.aol.com

    server deny name toc.oscar.aol.com

    server deny name oam-d09a.blue.aol.com

    audit-trail on

  application im msn

    service default action reset alarm

    service text-chat action reset alarm

    server deny name messenger.hotmail.com

    server deny name gateway.messenger.hotmail.com

    server deny name webmessenger.msn.com

    audit-trail on

  application http

    port-misuse im action reset alarm

    port-misuse p2p action reset alarm

  application im yahoo

    service default action reset alarm

    service text-chat action reset alarm

    server deny name scs.msg.yahoo.com

    server deny name scsa.msg.yahoo.com

    server deny name scsb.msg.yahoo.com

    server deny name scsc.msg.yahoo.com

    server deny name scsd.msg.yahoo.com

    server deny name cs16.msg.dcn.yahoo.com

    server deny name cs19.msg.dcn.yahoo.com

    server deny name cs42.msg.dcn.yahoo.com

    server deny name cs53.msg.dcn.yahoo.com

    server deny name cs54.msg.dcn.yahoo.com

    server deny name ads1.vip.scd.yahoo.com

    server deny name radio1.launch.vip.dal.yahoo.com

    server deny name in1.msg.vip.re2.yahoo.com

    server deny name data1.my.vip.sc5.yahoo.com

    server deny name address1.pim.vip.mud.yahoo.com

    server deny name edit.messenger.yahoo.com

    server deny name messenger.yahoo.com

    server deny name http.pager.yahoo.com

    server deny name privacy.yahoo.com

    server deny name csa.yahoo.com

    server deny name csb.yahoo.com

    server deny name csc.yahoo.com

    audit-trail on

!

multilink bundle-name authenticated

!

password encryption aes

!

!

username privilege 15 secret 5

username secret 5

username secret 5

username secret 5

username secret 5

username secret 5

username secret 5

username secret 5

username privilege 15 secret 5

username privilege 7 secret 5

username secret 5

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp keepalive 60 30 periodic

!

crypto isakmp client configuration group test

key 6

dns

domain testtest

pool SDM_POOL_test

acl 103

save-password

crypto isakmp profile sdm-ike-profile-1

   match identity group test

   client authentication list userauthen

   isakmp authorization list groupauthor

   client configuration address respond

   virtual-template 1

!

crypto ipsec security-association lifetime seconds 120

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto ipsec profile SDM_Profile1

set security-association lifetime seconds 3600

set transform-set ESP-3DES-SHA

set isakmp-profile sdm-ike-profile-1

!

!

archive

log config

  hidekeys

!

!

ip tcp synwait-time 10

!

class-map match-any sdm_p2p_kazaa

match protocol fasttrack

match protocol kazaa2

class-map match-any sdm_p2p_edonkey

match protocol edonkey

class-map match-any sdm_p2p_gnutella

match protocol gnutella

class-map match-any sdm_p2p_bittorrent

match protocol bittorrent

!

!

policy-map sdmappfwp2p_SDM_LOW

class sdm_p2p_bittorrent

policy-map sdmappfwp2p_SDM_HIGH

class sdm_p2p_edonkey

   drop

class sdm_p2p_gnutella

   drop

class sdm_p2p_kazaa

   drop

!

!

!

!

interface ATM0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

no atm ilmi-keepalive

!

interface ATM0.1 point-to-point

description $ES_WAN$

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1200

pvc 0/38

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

!

interface BRI0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

encapsulation hdlc

shutdown

!

interface FastEthernet0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

shutdown

duplex auto

speed auto

!

interface FastEthernet1

switchport access vlan 2

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

!

interface FastEthernet5

!

interface FastEthernet6

!

interface FastEthernet7

!

interface FastEthernet8

!

interface Virtual-Template1 type tunnel

ip unnumbered Dialer0

no ip redirects

no ip unreachables

no ip proxy-arp

tunnel mode ipsec ipv4

tunnel protection ipsec profile SDM_Profile1

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$$ES_LAN$$FW_INSIDE$

ip address

ip access-group 102 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip inspect SDM_HIGH in

ip virtual-reassembly

ip tcp adjust-mss 1200

!

interface Vlan2

description $FW_INSIDE$

ip address

ip access-group 105 in

ip access-group 106 out

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip inspect test_DMZ in

ip virtual-reassembly

!

interface Dialer0

description $FW_OUTSIDE$

ip address

ip access-group 101 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip nat outside

ip ips sdm_ips_rule in

ip ips sdm_ips_rule out

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

fair-queue 64 16 256

no cdp enable

ppp authentication chap callin

ppp chap hostname

ppp chap password 7

service-policy output sdmappfwp2p_SDM_HIGH

!

ip local pool SDM_POOL_1

ip local pool SDM_POOL_test

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

ip http server

ip http access-class 2

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

!

ip nat pool test_DMZ  netmask

ip nat inside source list 3 pool test_DMZ overload

ip nat inside source list 150 interface Dialer0 overload

ip nat inside source static tcp  3101 interface Dialer0 3101

ip nat inside source static tcp  22  22 extendable

ip nat inside source static

!

logging trap notifications

logging 172.16.100.1

dialer-list 1 protocol ip permit

no cdp run

!

!

!

!

!

snmp-server community testsnmp RO 10

snmp-server enable traps snmp authentication linkdown linkup coldstart

snmp-server enable traps syslog

snmp-server host  testsnmp

radius-server host  auth-port 1645 acct-port 1646 key 7

!

control-plane

!

banner login ^CCC

-----------------------------------------------------------------------

Authorized access only

This system is the property of test test.       

Your IP address has been logged.

Disconnect IMMEDIATELY as you are not an authorized user!       

Contact the test test administrator if you need access to this or other systems belonging to test test.

------------------------------------------------------------------------

^C

!

line con 0

transport output telnet

line aux 0

transport output telnet

line vty 0 4

logging synchronous

transport input telnet ssh

line vty 5 15

transport input telnet ssh

!

scheduler interval 500

ntp update-calendar

ntp server 172.16.100.10

!

webvpn context Default_context

ssl authenticate verify all

!

no inservice

!

end

Cisco Employee

Re: Cisco VPN Client Authenticate Against IAS

OK, so on the VPN Client software, under Group Authentication, the Name should be "test", and the Password should be the key that you have configured on the router within the following configuration line:

crypto isakmp client configuration group test

    key 6

Then click "Connect", and you will be prompted to enter username and password, and this will be the user that you have configured in your IAS server.

New Member

Re: Cisco VPN Client Authenticate Against IAS

The group authentication details are fine. The VPN works fine when I authenticate against the local username and passwords.

If I change the config to:

crypto isakmp profile sdm-ike-profile-1

   client authentication list sdm_vpn_xauth_ml_1

   isakmp authorization list sdm_vpn_group_ml_1

It works fine.

Cisco Employee

Re: Cisco VPN Client Authenticate Against IAS

Configuration on the router is correct.

Please check the access rules configured on the IAS server and ensure that is correct.

1765
Views
0
Helpful
12
Replies
This widget could not be displayed.