|
Home > Archive > Radius Server > February 2005 > Win 2003, PIX and RADIUS ofr VPN Auth.
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Win 2003, PIX and RADIUS ofr VPN Auth.
|
|
| Phil T. 2005-02-03, 5:52 pm |
| I have seen posts related to this but not exactly what I need to know so I
will post my question in hopes this will help many.
I have PIX 515e and I want to first be able to use IAS (RADIUS) to
authenticate VPN users to AD. I have seen only one TID on this
http://www.cisco.com/warp/public/11...tml#config-2003
and I have followed it verbatim without results. I can test from
workstation and laptop I have setup with outside access. At first it was a
loggin issue which I quickly fixed by configuring the log file in IAS. With
this problem gone I tried to access the network via VPN only to receive the
following errors:
User ptancreti was denied access.
Fully-Qualified-User-Name = DOMAIN\vpnuser
NAS-IP-Address = 192.168.1.1
NAS-Identifier = <not present>
Called-Station-Identifier = <not present>
Calling-Station-Identifier = (PUBLIC ADDRESS)
Client-Friendly-Name = PIXVPN
Client-IP-Address = 192.168.1.1
NAS-Port-Type = <not present>
NAS-Port = 24
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = <undetermined>
Authentication-Type = PAP
EAP-Type = <undetermined>
Reason-Code = 48
Reason = The connection attempt did not match any remote access policy.
I assume this means my access policy is wrong but I can't figure out why. I
figure there is communication between the PIX and the IAS server because the
events are posted immediatley after attempting to connect via VPN client. My
config if as follows:
In IAS-
RADIUS Client;
Friendly Name=PIX
IP Address=PIX Interface connected to IAS network
Client-Vendor=RADIUS Standard
Message Authenticator attribute is unchecked
Remote Access Policy;
Name=VPN ACCESS
Policy Condition=NAS-Port-Type matches "Virtual(VPN)"
Grant remote access permission
Edit Profile;
no dial-in constraints
server settings determine ip assignment
server settings determine Multilink usage
unencrypted authentication (PAP, SPAP)
encryption=no encryption
attributes= Framed-protocol | RADIUS Std | PPP
attributes=Service-type | RADIUS Std | Framed
If you need anymore info to help with this problem please let me know I will
be watching post closely. I hope this makes since, like I said I followed
the cisco article verbatim the only difference (and knowing my luck this is
the problem) I have the 4.x cisco VPN client software.
Again TIA
Phil T.
| |
| Mark Gamache 2005-02-03, 5:52 pm |
| The log file shows your NAS port type is not present, but you are requiring
it to match "Virtual(VPN)"
You might consider removing that constraint and picking a different one that
can be matched. Also check your NAS to see if you can force it to send a
type.
Cheers,
--
Mark Gamache
Certified Security Solutions
http://www.css-security.com
"Phil T." <PhilT@discussions.microsoft.com> wrote in message
news:C139BA7C-37D8-400B-A917-F5100B85DA21@microsoft.com...
>I have seen posts related to this but not exactly what I need to know so I
> will post my question in hopes this will help many.
> I have PIX 515e and I want to first be able to use IAS (RADIUS) to
> authenticate VPN users to AD. I have seen only one TID on this
> http://www.cisco.com/warp/public/11...tml#config-2003
> and I have followed it verbatim without results. I can test from
> workstation and laptop I have setup with outside access. At first it was
> a
> loggin issue which I quickly fixed by configuring the log file in IAS.
> With
> this problem gone I tried to access the network via VPN only to receive
> the
> following errors:
> User ptancreti was denied access.
> Fully-Qualified-User-Name = DOMAIN\vpnuser
> NAS-IP-Address = 192.168.1.1
> NAS-Identifier = <not present>
> Called-Station-Identifier = <not present>
> Calling-Station-Identifier = (PUBLIC ADDRESS)
> Client-Friendly-Name = PIXVPN
> Client-IP-Address = 192.168.1.1
> NAS-Port-Type = <not present>
> NAS-Port = 24
> Proxy-Policy-Name = Use Windows authentication for all users
> Authentication-Provider = Windows
> Authentication-Server = <undetermined>
> Policy-Name = <undetermined>
> Authentication-Type = PAP
> EAP-Type = <undetermined>
> Reason-Code = 48
> Reason = The connection attempt did not match any remote access policy.
>
> I assume this means my access policy is wrong but I can't figure out why.
> I
> figure there is communication between the PIX and the IAS server because
> the
> events are posted immediatley after attempting to connect via VPN client.
> My
> config if as follows:
>
> In IAS-
> RADIUS Client;
> Friendly Name=PIX
> IP Address=PIX Interface connected to IAS network
> Client-Vendor=RADIUS Standard
> Message Authenticator attribute is unchecked
>
> Remote Access Policy;
> Name=VPN ACCESS
> Policy Condition=NAS-Port-Type matches "Virtual(VPN)"
> Grant remote access permission
> Edit Profile;
> no dial-in constraints
> server settings determine ip assignment
> server settings determine Multilink usage
> unencrypted authentication (PAP, SPAP)
> encryption=no encryption
> attributes= Framed-protocol | RADIUS Std | PPP
> attributes=Service-type | RADIUS Std | Framed
>
> If you need anymore info to help with this problem please let me know I
> will
> be watching post closely. I hope this makes since, like I said I followed
> the cisco article verbatim the only difference (and knowing my luck this
> is
> the problem) I have the 4.x cisco VPN client software.
>
> Again TIA
> Phil T.
|
|
|
|
|