Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
467
Views
0
Helpful
3
Replies

VPN 3005 auth problems with active directory

bobbydodds00
Level 1
Level 1

‎06-10-2005 03:59 AM

A while ago we installed a Cisco 3005 VPN Concentrator alongside twin PIX 515e failover firewalls. Our remote users are using Cisco VPN Client which authenticates via the 3005 to Active Directory. We are experiencing increasing problems with users failing to log in via the VPN client (VPN login screen reappears very quickly after entering username and passsword). The really strange thing is that if I remove the user from one or more security groups within Active Directory then the login is subsequently successful. The groups in question are also arbitrary, the problem is not linked to specific groups. We do not experience any Active Directory authentication failures in local (non-VPN) circumstances. The logs on the 3005 do not provide much information other than the following log entries

32097 05/24/2005 16:55:36.620 SEV=3 AUTH/5 RPT=1611 80.229.179.16

Authentication rejected: Reason = Unspecified

handle = 375, server = 194.33.17.30, user = grahams, domain = <not specified>

I hope you can be of some assistance.

Regards

Bob

Labels:
0 Helpful
3 Replies 3

ehirsel
Level 6
Level 6

‎06-12-2005 07:31 AM

At the time of the error, are there any relevant AD log messages? Maybe one of the groups that the user is in, does not allow logins from certain ip addresses, which may explain why local (non-vpn) logins are successful. You may need to do some debug/tracing on the ms ad side to get better log messages.

Let me know what you find.

0 Helpful

bobbydodds00
Level 1
Level 1
In response to ehirsel

‎06-15-2005 07:59 AM

There are no restrictions at group level. A user can authenticate via VPN one minute, then when I add them to another group they can't authenticate (although the new group works fine for other users, and also works for this user if I remove some other groups). I don't see anything in the event logs. I'll try and set some auditing on to get more info.

Regards

Bob

0 Helpful

noc
Level 1
Level 1
In response to bobbydodds00

‎06-17-2005 07:23 AM

the VPN 3000 series login to active directory (kerberos) really doesn't work. It has never worked on my production ad domains, just my test domain. its not very easy to figure out what is going on.

I think Cisco dropped the ball on this, why isn't there any good documentation on their site about 3000 to ad login ?

I found a workaround - use NT DOMAIN with your ad domain controllers, it will use NTLM as the authentication method... this works even with "native" ms ad domains... FYI

0 Helpful
Customers Also Viewed These Support Documents