Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IAS Setup Issue with the 3005 Conc

I have setup IAS on Server 2003 to authenticate users. I believe I have everythings setup correctly except for the authentication type used by the 3005 and I'm stuck. It appears the 3005 is using PAP to try and authenticate with IAS. I get the following error when using the Test function (of the authentication RADIUS server) and when actually trying to connect to the 3005 with the IPSEC client.

User Tim was denied access.

.

.

.

NAS-Port Type=Virtual

NAS-Port=1056

Proxy-Policy-Name=Use Windows authentication for all users

Authentication Provider=Windows

Authentication Server=<undetermined>

Policy-Name=Authenticate all VPN connections

Authentication-Type=PAP

EAP-Type=<undetermined>

Reason-Code=66

Reson=The user attempted to us an authentication method that is not enabled on the matching remote access policy.

To test I go ahead and enable PAP authentication on the IAS Remote Access Policy and on the RRAS Remote Access Policy. With that done I can connect with no problem and see an IAS event attesting to the authentication. If I disable PAP on either IAS or RRAS policy I get the same error as above. So, it looks like the 3005 is using PAP to authenticate to the IAS server.

I can't for the life of me figure out how to use MSCHAP2. When I look at the properties of the Base Group AND the Test Group, the only place to configure type of authentication is on the PPTP/L2TP tab and that's not for IPSEC. Nevertheless, the only method checked there is MSCHAP-2.

I'm pretty sure everything is setup correctly because if I use an incorrect password or try to connect when dial-up is disabled in AD I get a legitimate event telling me I've used a bad password or RA is disabled on the account. I know IAS is properly querying AD.

Can anyone tell me what I'm doing wrong? How do I get the 3005 to use MSCHAP-2 when querying IAS server?

  • VPN
1 ACCEPTED SOLUTION

Accepted Solutions
ovt Bronze
Bronze

Re: IAS Setup Issue with the 3005 Conc

Don't worry about this too much. Concentrator probably uses 02 User-Password RADIUS attribute instead of 03 Chap-Password, but the password itself isn't sent in clear. It is hashed by RADIUS shared secret. If you need MS-CHAP exchange between the RADIUS server and the concentrator try to configure Authentication = RADIUS with Expiry on the IPSec tab of Modify Group screen. I didn't test it, but pretty sure that Expiry feature requires MS-CHAP exchage to take place. Please, drop a message if you get a success.

Regards,

Oleg Tipisov,

REDCENTER

2 REPLIES
ovt Bronze
Bronze

Re: IAS Setup Issue with the 3005 Conc

Don't worry about this too much. Concentrator probably uses 02 User-Password RADIUS attribute instead of 03 Chap-Password, but the password itself isn't sent in clear. It is hashed by RADIUS shared secret. If you need MS-CHAP exchange between the RADIUS server and the concentrator try to configure Authentication = RADIUS with Expiry on the IPSec tab of Modify Group screen. I didn't test it, but pretty sure that Expiry feature requires MS-CHAP exchage to take place. Please, drop a message if you get a success.

Regards,

Oleg Tipisov,

REDCENTER

New Member

Re: IAS Setup Issue with the 3005 Conc

Thanks much. Indeed, changing to Radius w/Expiry does result in a MSCHAP-v2 authentication. Cheers...

173
Views
0
Helpful
2
Replies