I have seen posts related to this but not exactly what I need to know so I
will post my question in hopes this will help many.
I have PIX 515e and I want to first be able to use IAS (RADIUS) to
authenticate VPN users to AD.  I have seen only one TID on this
http://www.cisco.com/warp/public/11...tml#config-2003
and I have followed it verbatim without results.  I can test from
workstation and laptop I have setup with outside access.  At first it was a
loggin issue which I quickly fixed by configuring the log file in IAS.  With
this problem gone I tried to access the network via VPN only to receive the
following errors:
User ptancreti was denied access.
Fully-Qualified-User-Name = DOMAIN\vpnuser
NAS-IP-Address = 192.168.1.1
NAS-Identifier = <not present>
Called-Station-Identifier = <not present>
Calling-Station-Identifier = (PUBLIC ADDRESS)
Client-Friendly-Name = PIXVPN
Client-IP-Address = 192.168.1.1
NAS-Port-Type = <not present>
NAS-Port = 24
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = <undetermined>
Authentication-Type = PAP
EAP-Type = <undetermined>
Reason-Code = 48
Reason = The connection attempt did not match any remote access policy.

I assume this means my access policy is wrong but I can't figure out why.  I
figure there is communication between the PIX and the IAS server because the
events are posted immediatley after attempting to connect via VPN client.  M
y
config if as follows:

In IAS-
RADIUS Client;
Friendly Name=PIX
IP Address=PIX Interface connected to IAS network
Client-Vendor=RADIUS Standard
Message Authenticator attribute is unchecked

Remote Access Policy;
Name=VPN ACCESS
Policy Condition=NAS-Port-Type matches "Virtual(VPN)"
Grant remote access permission
Edit Profile;
no dial-in constraints
server settings determine ip assignment
server settings determine Multilink usage
unencrypted authentication (PAP, SPAP)
encryption=no encryption
attributes= Framed-protocol | RADIUS Std | PPP
attributes=Service-type | RADIUS Std | Framed

If you need anymore info to help with this problem please let me know I will
be watching post closely.  I hope this makes since, like I said I followed
the cisco article verbatim the only difference (and knowing my luck this is
the problem) I have the 4.x cisco VPN client software.

Again TIA
Phil T.

[ Post a follow-up to this message ]

The log file shows your NAS port type is not present, but you are requiring
it to match "Virtual(VPN)"

You might consider removing that constraint and picking a different one that
can be matched.  Also check your NAS to see if you can force it to send a
type.

Cheers,


--
Mark Gamache
Certified Security Solutions
http://www.css-security.com



"Phil T." <PhilT@discussions.microsoft.com> wrote in message
news:C139BA7C-37D8-400B-A917-F5100B85DA21@microsoft.com...
>I have seen posts related to this but not exactly what I need to know so I
> will post my question in hopes this will help many.
> I have PIX 515e and I want to first be able to use IAS (RADIUS) to
> authenticate VPN users to AD.  I have seen only one TID on this
> http://www.cisco.com/warp/public/11...tml#config-2003
> and I have followed it verbatim without results.  I can test from
> workstation and laptop I have setup with outside access.  At first it was
> a
> loggin issue which I quickly fixed by configuring the log file in IAS.
> With
> this problem gone I tried to access the network via VPN only to receive
> the
> following errors:
> User ptancreti was denied access.
> Fully-Qualified-User-Name = DOMAIN\vpnuser
> NAS-IP-Address = 192.168.1.1
> NAS-Identifier = <not present>
> Called-Station-Identifier = <not present>
> Calling-Station-Identifier = (PUBLIC ADDRESS)
> Client-Friendly-Name = PIXVPN
> Client-IP-Address = 192.168.1.1
> NAS-Port-Type = <not present>
> NAS-Port = 24
> Proxy-Policy-Name = Use Windows authentication for all users
> Authentication-Provider = Windows
> Authentication-Server = <undetermined>
> Policy-Name = <undetermined>
> Authentication-Type = PAP
> EAP-Type = <undetermined>
> Reason-Code = 48
> Reason = The connection attempt did not match any remote access policy.
>
> I assume this means my access policy is wrong but I can't figure out why.
> I
> figure there is communication between the PIX and the IAS server because
> the
> events are posted immediatley after attempting to connect via VPN client.
> My
> config if as follows:
>
> In IAS-
> RADIUS Client;
> Friendly Name=PIX
> IP Address=PIX Interface connected to IAS network
> Client-Vendor=RADIUS Standard
> Message Authenticator attribute is unchecked
>
> Remote Access Policy;
> Name=VPN ACCESS
> Policy Condition=NAS-Port-Type matches "Virtual(VPN)"
> Grant remote access permission
> Edit Profile;
> no dial-in constraints
> server settings determine ip assignment
> server settings determine Multilink usage
> unencrypted authentication (PAP, SPAP)
> encryption=no encryption
> attributes= Framed-protocol | RADIUS Std | PPP
> attributes=Service-type | RADIUS Std | Framed
>
> If you need anymore info to help with this problem please let me know I
> will
> be watching post closely.  I hope this makes since, like I said I followed
> the cisco article verbatim the only difference (and knowing my luck this
> is
> the problem) I have the 4.x cisco VPN client software.
>
> Again TIA
> Phil T.

[ Post a follow-up to this message ]