We connect to our ASA for VPN access and authenticate using IAS on a Win2k3 server. The VPN client successfully connects and can access the network, but 2 events are logged on the IAS server for every connection. Here is an example:

(granted access)

User DOMAIN\User was granted access.

Fully-Qualified-User-Name = FQDN/User Name

NAS-IP-Address = 1.2.3.4

NAS-Identifier = <not present>

Client-Friendly-Name = ASA

Client-IP-Address = 1.2.3.4

Calling-Station-Identifier = X.X.X.X

NAS-Port-Type = Virtual

NAS-Port = 69337088

Proxy-Policy-Name = Use Windows authentication for all users

Authentication-Provider = Windows

Authentication-Server = <undetermined>

Policy-Name = ASA_VPN

Authentication-Type = MS-CHAPv2

EAP-Type = <undetermined>

(denied access)

User DOMAIN\User was denied access.

Fully-Qualified-User-Name = DOMAIN\coler

NAS-IP-Address = 1.2.3.4

NAS-Identifier = <not present>

Called-Station-Identifier = 1.2.3.5

Calling-Station-Identifier = X.X.X.X

Client-Friendly-Name = ASA

Client-IP-Address = 1.2.3.4

NAS-Port-Type = Virtual

NAS-Port = 69337088

Proxy-Policy-Name = Use Windows authentication for all users

Authentication-Provider = Windows

Authentication-Server = <undetermined>

Policy-Name = <undetermined>

Authentication-Type = PAP

EAP-Type = <undetermined>

Reason-Code = 16

Reason = Authentication was not successful because an unknown user name or incorrect password was used.

Since I can connect and access the network, obviously the grant access is in effect, however, I would like to determine why I am getting the denied access messages. I removed PAP as an authentication method in the policy I am using and I am still receiving these messages. Is there something in the ASA I should be looking for that would specifically try to use PAP? It seems like I've tried everything I can find in various forums, but I must be missing something (probably obvious since I've been looking at this for a while).

Any help would be appreciated.

Thanks,

Nathan