cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1379
Views
0
Helpful
2
Replies
Highlighted
Beginner

*** VPN3000 - Authentication rejected: Reason = Unspecified handle ***

Using Cisco VPN client 4.6.03.0021 on Windows XP SP2 to a Cisco VPN 3005 concentrator 4.7 release. Concentrator is not behind NAT, client is. We're using simple authentication with usernames/passwords via Active Directory/Kerberos.

Most of my users have no problem. Some users report persistent issues with establishing a connection. Concentrator logs "Authentication rejected: Reason = Unspecified handle" error messages but the users do enter the correct username and password, the username does exist in the Windows 2003 AD/Kerberos, and the authentication server is up and running and working fine at the same time for other users.

We started being more aware of this issue after the domain upgrade from 2000 to 2003 but I cannot positively correlate that that's exactly when the trouble began. So maybe that's an issue, maybe not.

Probably unrelated but I'll throw it in as well: Whatever combination of authentication servers I specify on the concentrator, its config file shows lots of stale entries that simply seem to get pushed down in priority - what's up with that? If I delete a server from the list then I want it gone from the config file... what's there not to understand, dear Cisco development engineer?

;-)

Anyway, any help would be greatly appreciated. Once upon a time there even was a TAC case open (601099658) but the responses were extremely sluggish and didn't help at all.

Thanks a lot...

- Matthias.

2 REPLIES 2
Frequent Contributor

Re: *** VPN3000 - Authentication rejected: Reason = Unspecified

Here is a document for Configuring the Cisco VPN 3000 Concentrator with MS RADIUS.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a0080094700.shtml

Beginner

Re: *** VPN3000 - Authentication rejected: Reason = Unspecified

Thanks but we would like the concentrator to authenticate directly against the Windows AD/Kerberos without the additional layer of having to configure and maintain a RADIUS server.