PIX Xauth authenticating to W2K IAS Radius Server trouble

bsaltbaek · ‎10-30-2001

Hi.

I'm having problems with getting VPN aceess to work with my PIX 520 and a Windows 2000 IAS server.

Setup:

PIX:

Cisco 520 PIX with 6.0.1 software & VPN-DES

some of the the pix conf:

access-list acl_vpn2dmz permit ip [my_internal_network] [netmask] 10.2.2.0 255.255.255.0

ip local pool mypool 10.2.2.1-10.2.2.254

nat (dmz) 0 access-list acl_vpn2dmz

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server partnerauth protocol tacacs+

aaa-server Auth4VPN protocol radius

aaa-server Auth4VPN (inside) host [my_w2k_server] [my_secret_shared_key] timeout 5

crypto ipsec transform-set transsetdyn esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set transsetdyn

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap client configuration address initiate

crypto map mymap client configuration address respond

crypto map mymap client authentication Auth4VPN

crypto map mymap interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup myvpngroup address-pool mypool

vpngroup myvpngroup dns-server 192.168.1.2

vpngroup myvpngroup wins-server 192.168.1.3

vpngroup myvpngroup default-domain mydomain.dk

vpngroup myvpngroup idle-time 1800

vpngroup myvpngroup password ********

IAS server:

Windows 2000 Server SP2+hotfixes

Under clients:

a client with the ip-number of my PIX, with "Client-Vendor" set to "Cisco" and "Shared secret" to [my_secret_shared_key]

Under Remote Access Policies:

A policy with the "Windows-Groups" and "Grant remote acess permission". Under Edit Profile->Authentication have I added "Unencrypted Authentication (PAP, SPAP)".

Now here's the problem:

When I use the Cisco VPN Client (version 3.1) and connect to the PIX and tap in the userid ad password from my Windows NT domain the authentication fails.

The Windows NT Event says:

--- first entry ---

Event Type: Information

Event Source: IAS

Event Category: None

Event ID: 1

Date: 30-10-2001

Time: 12:49:16

User: N/A

Computer: [my_ias_server]

Description:

User MYUSER was granted access.

Fully-Qualified-User-Name = MYDOM\MYUSER

NAS-IP-Address = [ip-adr-of-my-pix]

NAS-Identifier = <not present>

Client-Friendly-Name = pixfirewall

Client-IP-Address = [ip-adr-of-my-pix]

NAS-Port-Type = <not present>

NAS-Port = 5

Policy-Name = [my_policy]

Authentication-Type = PAP

EAP-Type = <undetermined>

--- second entry ---

Event Type: Warning

Event Source: IAS

Event Category: None

Event ID: 2

Date: 30-10-2001

Time: 12:49:16

User: N/A

Computer: [my_ias_server]

Description:

User MYUSER was denied access.

Fully-Qualified-User-Name = MYDOM\MYUSER

NAS-IP-Address = [ip-adr-of-my-pix]

NAS-Identifier = <not present>

Called-Station-Identifier = <not present>

Calling-Station-Identifier = <not present>

Client-Friendly-Name = pixfirewall

Client-IP-Address = [ip-adr-of-my-pix]

NAS-Port-Type = <not present>

NAS-Port = 5

Policy-Name = <undetermined>

Authentication-Type = <undetermined>

EAP-Type = <undetermined>

Reason-Code = 16

Reason = There was an authentication failure because of an unknown user name or a bad password.

---

What goes wrong?

It seams that the IAS gets something right and something wrong?

Please, any help would be great!

Best regards,

Bjarne Saltbaek, Tech. Support

jjkruege · ‎11-01-2001

Recently I found that I could not use PIX RADIUS to authenticate with IAS until I enabled the EAP checkbox with MD5 on the IAS profile. I also found that I had to uncheck the forceful checking of the shared key to get it to work. I was unable to successfully authenticate until I did this.

If you find a better way than that please let me know!

Thanks,

Josh