https://community.cisco.com/t5/network-access-control/vpn-authentication-problems/m-p/536823#M5690 <HTML><HEAD></HEAD><BODY><P>Does this help....</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_example09186a00806de37e.shtml" target="_blank">http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_example09186a00806de37e.shtml</A></P><P></P><P>Jay</P><P></P><P></P><P></P></BODY></HTML> Tue, 01 Aug 2006 15:43:09 GMT jmia 2006-08-01T15:43:09Z https://community.cisco.com/t5/network-access-control/vpn-authentication-problems/m-p/536820#M5681 <P>I have recently upgraded our PIX OS 7.0(5). We are experiencing issues with remote access VPN clients. Phase 1 authentication occurs OK but the user authentication is failing on some accounts. The PIX authenticates against Active Directory.</P><P>The strange thing is that some accounts authenticate ok yet other do not. Looking at the accounts there are no obvious differences, all standard user accounts. If I set up a new account it will also work? From the debug kerberos output the only difference between a successful authentication and one that isn't is:</P><P></P><P>'Kerberos library reports: "unknown"'</P><P></P><P>Anybody any ideas?</P><P>TIA</P> Fri, 21 Feb 2020 18:16:23 GMT https://community.cisco.com/t5/network-access-control/vpn-authentication-problems/m-p/536820#M5681 g.leonard 2020-02-21T18:16:23Z https://community.cisco.com/t5/network-access-control/vpn-authentication-problems/m-p/536821#M5683 <HTML><HEAD></HEAD><BODY><P>One frequent cause of authentication failure is clock skew. Be sure that the clocks on the PIX or ASA and your authentication server are synchronized.</P><P></P><P>Also take a look here, using ASDM...</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008060f261.shtml" target="_blank">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008060f261.shtml</A></P><P></P><P>Hope this helps and if it does please rate post!!</P><P></P><P><span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P></BODY></HTML> Tue, 01 Aug 2006 14:21:30 GMT https://community.cisco.com/t5/network-access-control/vpn-authentication-problems/m-p/536821#M5683 jmia 2006-08-01T14:21:30Z https://community.cisco.com/t5/network-access-control/vpn-authentication-problems/m-p/536822#M5687 <HTML><HEAD></HEAD><BODY><P>Hi Jay</P><P></P><P>Yeah, the whole clock skew problem I found during development so its not that I'm afraid. The strange thing is that this was tested against a test domain and worked fine. The other weird thing is that from the same remote client machine we can authenticate using one account but not the others.</P><P>I followed the document you listed during development.</P><P>Do you know if the PIX can actually authenticate directly against AD? I know I've done this in development but have the feeling I may have fluked something.</P><P>I'm a big PIX champion and have been trying to get this in instead of ISA Server. I finally proved that it can work against the domain (something that was required) and now it appears it doesn't work. I'm pretty gutted actually, though it could be a Windows issue?</P></BODY></HTML> Tue, 01 Aug 2006 15:17:23 GMT https://community.cisco.com/t5/network-access-control/vpn-authentication-problems/m-p/536822#M5687 g.leonard 2006-08-01T15:17:23Z https://community.cisco.com/t5/network-access-control/vpn-authentication-problems/m-p/536823#M5690 <HTML><HEAD></HEAD><BODY><P>Does this help....</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_example09186a00806de37e.shtml" target="_blank">http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_example09186a00806de37e.shtml</A></P><P></P><P>Jay</P><P></P><P></P><P></P></BODY></HTML> Tue, 01 Aug 2006 15:43:09 GMT https://community.cisco.com/t5/network-access-control/vpn-authentication-problems/m-p/536823#M5690 jmia 2006-08-01T15:43:09Z https://community.cisco.com/t5/network-access-control/vpn-authentication-problems/m-p/536824#M5693 <HTML><HEAD></HEAD><BODY><P>Hi Jay</P><P>Had a look at that too. The whole reason for upgrading to PIX 7.0 was to get rid of intermediary authentication servers as the sales blurb states.</P><P>I'm sure its a Kerberos authentication problem looking at the debug because successful attempts to authenticate then through up LDAP debug as they go on to be authorised.</P></BODY></HTML> Wed, 02 Aug 2006 12:41:55 GMT https://community.cisco.com/t5/network-access-control/vpn-authentication-problems/m-p/536824#M5693 g.leonard 2006-08-02T12:41:55Z