I just closed a TAC with cisco about this issue and they are pointing to the
IAS server as the problem... I tend to have to agree with them due to the
nature of this issue.

I have a cisco router configured with a group VPN key, and a IAS server
configured to handle authentication.  I created a client within IAS called
CiscoRouter wuth the correct shared secret and I have set the Client Vendor
as both cisco and I have tried Radius Standard.  I have checked the box abou
t
Request must contain Message Authenticator attribute.  (I will mention the
oddities of this further down).

I have a policy in place called VPNAccessPolicy which policy conditions are
NAS-Port-Type matches Virtual(VPN) AND Windows-Groups Matches
domainname\Groupname.
Within this profile Under authentication and encryption I have tried
multiple settings of the check boxes.

Here is what happens I execute the cisco IPSEC client, it passes the shared
secret, then it prompts for authentication.  I enter in a bogus username and
password... it authenticates me.... I can even log in as Username: T
password: T and it lets me in.. I assure you that this account is not set up
on my network....  when I go to the logs to see what is going on, the IAS
logs shows whos logging on when, which policy they are using etc...  now thi
s
is all great.. it tells me the router and the IAS server ARE communicating..
but dosent explain why Im only getting the logging and not the
authentication.

now for the odd part i mentioned earlier.. if I enable the Request must
contain the Message Authenticator attribue in the radius client, I am unable
to authenticate with bogus or valid information....

Any help would be great on this because after a few weeks of troubleshooting
I am about to lose my mind....

TIA

Ben

[ Post a follow-up to this message ]

Can you please attach the snippet of iassam.log where it shows it
communicating with the client? You can enable tracing by typing:
netsh ras set tracing iassam enabled
on a console window.

Thanks
Mudit

--
 ________________________________________
__________________
This posting is provided "AS IS" with no warranties, and confers no rights.
 ________________________________________
__________________


"buhlig" <buhlig@discussions.microsoft.com> wrote in message
news:53D5C58F-2957-4067-979F-A439D84A8B6A@microsoft.com...
> I just closed a TAC with cisco about this issue and they are pointing to
the
> IAS server as the problem... I tend to have to agree with them due to the
> nature of this issue.
>
> I have a cisco router configured with a group VPN key, and a IAS server
> configured to handle authentication.  I created a client within IAS called
> CiscoRouter wuth the correct shared secret and I have set the Client
Vendor
> as both cisco and I have tried Radius Standard.  I have checked the box
about
> Request must contain Message Authenticator attribute.  (I will mention the
> oddities of this further down).
>
> I have a policy in place called VPNAccessPolicy which policy conditions
are
> NAS-Port-Type matches Virtual(VPN) AND Windows-Groups Matches
> domainname\Groupname.
> Within this profile Under authentication and encryption I have tried
> multiple settings of the check boxes.
>
> Here is what happens I execute the cisco IPSEC client, it passes the
shared
> secret, then it prompts for authentication.  I enter in a bogus username
and
> password... it authenticates me.... I can even log in as Username: T
> password: T and it lets me in.. I assure you that this account is not set
up
> on my network....  when I go to the logs to see what is going on, the IAS
> logs shows whos logging on when, which policy they are using etc...  now
this
> is all great.. it tells me the router and the IAS server ARE
communicating..
> but dosent explain why Im only getting the logging and not the
> authentication.
>
> now for the odd part i mentioned earlier.. if I enable the Request must
> contain the Message Authenticator attribue in the radius client, I am
unable
> to authenticate with bogus or valid information....
>
> Any help would be great on this because after a few weeks of
troubleshooting
> I am about to lose my mind....
>
> TIA
>
> Ben
>

[ Post a follow-up to this message ]

I ran the netsh ras set tracing iassam enabled, and logged in with bogus
information and normal iniformation but nothing populated the log file...

in the ias log file i still see the normal log details as follows..

192.168.100.1,bogusinfo,01/24/2005,11:52:45,IAS,VPIFS1,31,<removed>,61,5,4,1
92.168.100.1,4108,192.168.100.1,4116,9,4128,CiscoRouter,4155,0,25,311
1 192.168.100.6 01/04/2005 15:20:25 231,4136,1,4142,0
192.168.100.1,bogusinfo,01/24/2005,11:52:45,IAS,VPIFS1,25,311 1
192.168.100.6 01/04/2005 15:20:25 231,4154,Use Windows authentication for al
l
 users,4155,0,4128,CiscoRouter,4116,9,410
8,192.168.100.1,4136,2,4142,0

I will follow up with any information that I get in the iassam.log file..

Thanks,

Ben

"Mudit Goel [MSFT]" wrote:

> Can you please attach the snippet of iassam.log where it shows it
> communicating with the client? You can enable tracing by typing:
> netsh ras set tracing iassam enabled
> on a console window.
>
> Thanks
> Mudit
>
> --
>  ________________________________________
__________________
> This posting is provided "AS IS" with no warranties, and confers no rights
.
>  ________________________________________
__________________
>
>
> "buhlig" <buhlig@discussions.microsoft.com> wrote in message
> news:53D5C58F-2957-4067-979F-A439D84A8B6A@microsoft.com... 
> the 
> Vendor 
> about 
> are 
> shared 
> and 
> up 
> this 
> communicating.. 
> unable 
> troubleshooting 
>
>
>

[ Post a follow-up to this message ]