11-01-2005 09:39 AM
I have setup IAS on Server 2003 to authenticate users. I believe I have everythings setup correctly except for the authentication type used by the 3005 and I'm stuck. It appears the 3005 is using PAP to try and authenticate with IAS. I get the following error when using the Test function (of the authentication RADIUS server) and when actually trying to connect to the 3005 with the IPSEC client.
User Tim was denied access.
.
.
.
NAS-Port Type=Virtual
NAS-Port=1056
Proxy-Policy-Name=Use Windows authentication for all users
Authentication Provider=Windows
Authentication Server=<undetermined>
Policy-Name=Authenticate all VPN connections
Authentication-Type=PAP
EAP-Type=<undetermined>
Reason-Code=66
Reson=The user attempted to us an authentication method that is not enabled on the matching remote access policy.
To test I go ahead and enable PAP authentication on the IAS Remote Access Policy and on the RRAS Remote Access Policy. With that done I can connect with no problem and see an IAS event attesting to the authentication. If I disable PAP on either IAS or RRAS policy I get the same error as above. So, it looks like the 3005 is using PAP to authenticate to the IAS server.
I can't for the life of me figure out how to use MSCHAP2. When I look at the properties of the Base Group AND the Test Group, the only place to configure type of authentication is on the PPTP/L2TP tab and that's not for IPSEC. Nevertheless, the only method checked there is MSCHAP-2.
I'm pretty sure everything is setup correctly because if I use an incorrect password or try to connect when dial-up is disabled in AD I get a legitimate event telling me I've used a bad password or RA is disabled on the account. I know IAS is properly querying AD.
Can anyone tell me what I'm doing wrong? How do I get the 3005 to use MSCHAP-2 when querying IAS server?
Solved! Go to Solution.
11-04-2005 02:18 AM
Don't worry about this too much. Concentrator probably uses 02 User-Password RADIUS attribute instead of 03 Chap-Password, but the password itself isn't sent in clear. It is hashed by RADIUS shared secret. If you need MS-CHAP exchange between the RADIUS server and the concentrator try to configure Authentication = RADIUS with Expiry on the IPSec tab of Modify Group screen. I didn't test it, but pretty sure that Expiry feature requires MS-CHAP exchage to take place. Please, drop a message if you get a success.
Regards,
Oleg Tipisov,
REDCENTER
11-04-2005 02:18 AM
Don't worry about this too much. Concentrator probably uses 02 User-Password RADIUS attribute instead of 03 Chap-Password, but the password itself isn't sent in clear. It is hashed by RADIUS shared secret. If you need MS-CHAP exchange between the RADIUS server and the concentrator try to configure Authentication = RADIUS with Expiry on the IPSec tab of Modify Group screen. I didn't test it, but pretty sure that Expiry feature requires MS-CHAP exchage to take place. Please, drop a message if you get a success.
Regards,
Oleg Tipisov,
REDCENTER
11-04-2005 01:04 PM
Thanks much. Indeed, changing to Radius w/Expiry does result in a MSCHAP-v2 authentication. Cheers...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide