Microsoft VPN with NT authentication

wei.hu · ‎02-02-2003

Hi,

I am tring to setup VPN connection with:

. Cisco VPN Concentrator

. Microsoft Windows 2000 VPN client

. NT authentication

I got the following log messages:

"

273 02/03/2003 14:28:59.950 SEV=5 PPP/8 RPT=79 192.168.100.13

User [xxx\yyy]

Authenticated successfully with MSCHAP-V1

274 02/03/2003 14:28:59.950 SEV=5 PPP/10 RPT=8 192.168.100.13

User [xxx\yyy]

disconnected. Tunneling protocol not allowed.

"

Anyone knows what's wrong with that?

By the way, it works with Internal authentication. And the NT account has been enabled with remote access.

Thanks,

Wei

gfullage · ‎02-03-2003

"Tunnelling protocol not allowed" means you don't have the correct Tunnelling Protocol set under the General tab for whatever VPN3000 group this user is set up to connect into. If this is a Win2K client then you need to allow L2TP over Ipsec in the Group, and if you're using NT authentication then this user is probably defaulting to the Base Group. Go under Config - User Mgmt - Base Group under the General tab and select L2TP over Ipsec.

Be careful that this will UNselect just plain IPSec, you can only do one or the other in a group. Be careful also that if you are inheriting this value in your other groups, then you need to go into each particular group and select IPSec back again.

It probably works when you have an internal user cause you have put that user into a specific group and that group has L2TP over IPSec checked. When you move the user off the VPN3000 onto an external database, they generally default into the Base Group.

wei.hu · ‎02-05-2003

You are right. It works when I put corresponding configuration in the Base-Group.

You mentioned "When you move the user off the VPN3000 onto an external database, they generally default into the Base Group."

How could I change it?

Thanks,

Wei