10-30-2001 04:59 AM - edited 02-21-2020 09:57 AM
Hi.
I'm having problems with getting VPN aceess to work with my PIX 520 and a Windows 2000 IAS server.
Setup:
PIX:
Cisco 520 PIX with 6.0.1 software & VPN-DES
some of the the pix conf:
access-list acl_vpn2dmz permit ip [my_internal_network] [netmask] 10.2.2.0 255.255.255.0
ip local pool mypool 10.2.2.1-10.2.2.254
nat (dmz) 0 access-list acl_vpn2dmz
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server partnerauth protocol tacacs+
aaa-server Auth4VPN protocol radius
aaa-server Auth4VPN (inside) host [my_w2k_server] [my_secret_shared_key] timeout 5
crypto ipsec transform-set transsetdyn esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set transsetdyn
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap client authentication Auth4VPN
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup myvpngroup address-pool mypool
vpngroup myvpngroup dns-server 192.168.1.2
vpngroup myvpngroup wins-server 192.168.1.3
vpngroup myvpngroup default-domain mydomain.dk
vpngroup myvpngroup idle-time 1800
vpngroup myvpngroup password ********
IAS server:
Windows 2000 Server SP2+hotfixes
Under clients:
a client with the ip-number of my PIX, with "Client-Vendor" set to "Cisco" and "Shared secret" to [my_secret_shared_key]
Under Remote Access Policies:
A policy with the "Windows-Groups" and "Grant remote acess permission". Under Edit Profile->Authentication have I added "Unencrypted Authentication (PAP, SPAP)".
Now here's the problem:
When I use the Cisco VPN Client (version 3.1) and connect to the PIX and tap in the userid ad password from my Windows NT domain the authentication fails.
The Windows NT Event says:
--- first entry ---
Event Type: Information
Event Source: IAS
Event Category: None
Event ID: 1
Date: 30-10-2001
Time: 12:49:16
User: N/A
Computer: [my_ias_server]
Description:
User MYUSER was granted access.
Fully-Qualified-User-Name = MYDOM\MYUSER
NAS-IP-Address = [ip-adr-of-my-pix]
NAS-Identifier = <not present>
Client-Friendly-Name = pixfirewall
Client-IP-Address = [ip-adr-of-my-pix]
NAS-Port-Type = <not present>
NAS-Port = 5
Policy-Name = [my_policy]
Authentication-Type = PAP
EAP-Type = <undetermined>
--- second entry ---
Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 30-10-2001
Time: 12:49:16
User: N/A
Computer: [my_ias_server]
Description:
User MYUSER was denied access.
Fully-Qualified-User-Name = MYDOM\MYUSER
NAS-IP-Address = [ip-adr-of-my-pix]
NAS-Identifier = <not present>
Called-Station-Identifier = <not present>
Calling-Station-Identifier = <not present>
Client-Friendly-Name = pixfirewall
Client-IP-Address = [ip-adr-of-my-pix]
NAS-Port-Type = <not present>
NAS-Port = 5
Policy-Name = <undetermined>
Authentication-Type = <undetermined>
EAP-Type = <undetermined>
Reason-Code = 16
Reason = There was an authentication failure because of an unknown user name or a bad password.
---
What goes wrong?
It seams that the IAS gets something right and something wrong?
Please, any help would be great!
Best regards,
Bjarne Saltbaek, Tech. Support
11-01-2001 11:02 AM
Recently I found that I could not use PIX RADIUS to authenticate with IAS until I enabled the EAP checkbox with MD5 on the IAS profile. I also found that I had to uncheck the forceful checking of the shared key to get it to work. I was unable to successfully authenticate until I did this.
If you find a better way than that please let me know!
Thanks,
Josh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide