Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
944
Views
0
Helpful
3
Replies

Authentication problem with Cisco 3005 and MS RADIUS

ethanhays
Level 1
Level 1

‎11-11-2005 07:38 AM - edited ‎02-21-2020 10:13 AM

I am trying to set up authentication for VPN clients (software) to a Cisco 3005 concentrator through MS RADIUS

on win2k server. I have gone through the Cisco example configurations, which worked

great for setting up hardware clients, but is not working for my software clients.

When trying to authenticate win2k server, test authentication from the concentrator works fine. The client

does not see any error message, it just goes through the process and disconnects.

The client log is showing (sorry if this is a little long):

40 08:15:55.296 11/11/05 Sev=Info/5 IKE/0x6300003C

Received a DELETE payload for IKE SA with Cookies:

I_Cookie=508F2B7F7B7C8497 R_Cookie=35DCC0259EE6FD37

41 08:15:55.296 11/11/05 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 172.30.128.3

42 08:15:55.296 11/11/05 Sev=Info/4 IKE/0x63000048

Discarding IPsec SA negotiation, MsgID=075ECA6A

43 08:15:55.296 11/11/05 Sev=Info/4 IKE/0x63000017

Marking IKE SA for deletion (I_Cookie=508F2B7F7B7C8497

R_Cookie=35DCC0259EE6FD37) reason =

PEER_DELETE-IKE_DELETE_UNSPECIFIED

44 08:15:55.718 11/11/05 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

45 08:15:56.218 11/11/05 Sev=Info/4 IKE/0x6300004A

Discarding IKE SA negotiation (I_Cookie=508F2B7F7B7C8497

R_Cookie=35DCC0259EE6FD37) reason =

PEER_DELETE-IKE_DELETE_UNSPECIFIED

46 08:15:56.218 11/11/05 Sev=Info/4 IKE/0x63000001

IKE received signal to terminate VPN connection

47 08:15:56.218 11/11/05 Sev=Info/4 IKE/0x63000085

Microsoft IPSec Policy Agent service started successfully

48 08:15:56.718 11/11/05 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

49 08:15:56.718 11/11/05 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

50 08:15:56.718 11/11/05 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

51 08:15:56.718 11/11/05 Sev=Info/4 IPSEC/0x6370000A

IPSec driver successfully stopped

The concentrator log shows the following:

10849 11/11/2005 08:26:48.630 SEV=4 IKE/52 RPT=115 172.30.144.96

Group [IndividualNT] User [<username>]

User (<username>) authenticated.

10850 11/11/2005 08:26:48.640 SEV=5 IKE/184 RPT=106 172.30.144.96

Group [IndividualNT] User [<username>]

Client OS: WinNT

Client Application Version: 4.0.1 (Rel)

10852 11/11/2005 08:26:49.480 SEV=4 IKE/119 RPT=145 172.30.144.96

Group [IndividualNT] User [<username>]

PHASE 1 COMPLETED

10853 11/11/2005 08:26:49.490 SEV=5 IKE/25 RPT=3768 172.30.144.96

Group [IndividualNT] User [<username>]

Received remote Proxy Host data in ID Payload:

Address 172.30.128.100, Protocol 0, Port 0

10856 11/11/2005 08:26:49.490 SEV=5 IKE/34 RPT=3906 172.30.144.96

Group [IndividualNT] User [<username>]

Received local IP Proxy Subnet data in ID Payload:

Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, Port 0

10859 11/11/2005 08:26:49.490 SEV=4 IKE/1 RPT=480 172.30.144.96

Group [IndividualNT] User [<username>]

Received invalid phase 2 L2TP/IPSec Responder ID payload

Expected ID: Type 1, Proto 17, Port 1701, Addr 172.30.128.3

Received ID: Type 4, Proto 0, Port 0, Addr 0.0.0.0

10863 11/11/2005 08:26:49.490 SEV=4 IKEDBG/0 RPT=517

QM FSM error (P2 struct &0x1d284fc, mess id 0x2b2a1a0a)!

10864 11/11/2005 08:26:49.490 SEV=4 IKEDBG/65 RPT=1036 172.30.144.96

Group [IndividualNT] User [<username>]

IKE QM Responder FSM error history (struct &0x1d284fc)

<state>, <event>:

QM_DONE, EV_ERROR

QM_BLD_MSG2, EV_NEGO_SA

QM_BLD_MSG2, EV_IS_REKEY

QM_BLD_MSG2, EV_CONFIRM_SA

I've been working on this for 2 days, and can't figure out why clients can't connect. Any help would be greatly appreciated.

Labels:
0 Helpful
3 Replies 3

mchin345
Level 6
Level 6

‎11-17-2005 09:29 AM

Some RADIUS servers do not support MSCHAPv1 or MSCHAPv2 user authentication. If you are using a RADIUS server that does not support MSCHAP (v1 or v2), you must configure the Base Group's PPTP authentication protocol to use PAP and/or CHAP and also disable the MSCHAP options. Examples of RADIUS servers that do not support MSCHAP are the Livingston v1.61 RADIUS server or any RADIUS server based on Livingston code.For more information refer to the following url:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00800949da.shtml

0 Helpful

ethanhays
Level 1
Level 1
In response to mchin345

‎11-17-2005 11:21 AM

Thanks for the respone. I see that I should have been more specific in my post; I am using microsoft IAS as a radius server, in addition to which, I have tried changing authentication protocols to no avail. The current configuration comes closest to working, and prduces the output seen above. Other configurations either disconnect befor easking for a password, or do not accept the password. The current behavior is that the client software (cisco vpn client) asks for the password, appears to accept it, then disconnects without any error message on the client side at all.

0 Helpful

s-acharya
Level 1
Level 1
In response to ethanhays

‎01-12-2006 04:29 PM

Ethanhays,

Were you able to solve this issue? I am having exact same problem. VPN with ISA as RADIUS auth was woking fine up until last week. All of the sudden VPN with ISA auth stop working with exact same error as above. I suspect Microsoft hotfix but do not know which one as there are millions of them every week. Any information would be greatly appriciated.

0 Helpful
Customers Also Viewed These Support Documents