Hi folks,
I'm installing a Cisco ASA 5510 and I want my users to VPN in using the Cisco Client and IPSec, authenticating to a Windows 2000 RADIUS Server.
This is my first ASA install, and I'm not too skilled with Windows 2000 RADIUS/AAA. I should be able to make sure aaa authentication from the ASA to the Windows 2000 Server works. When I try to test that using the test aaa-server authentication command on the ASA, I get the following errors:
Cisco:
firewall# show debug
debug radius session
debug radius decode
firewall# test aaa-server authentication InternalAuth
Server IP Address or name: 192.168.1.7
Username: tleroy
Password: ***********
INFO: Attempting Authentication test to IP address <192.168.1.7> (timeout: 12 se
conds)
radius mkreq: 0x39
alloc_rip 0x42d8084
new request 0x39 --> 11 (0x42d8084)
got user ''
got password
add_req 0x42d8084 session 0x39 id 11
RADIUS_REQUEST
radius.c: rad_mkpkt
RADIUS packet decode (authentication request)
--------------------------
Raw packet data (length = 64).....
-deleted-
Parsed packet data.....
Radius: Code = 1 (0x01)
Radius: Identifier = 11 (0x0B)
Radius: Length = 64 (0x0040)
Radius: Vector: 8AFB187156D7C4ADE27330A92E
Radius: Type = 1 (0x01) User-Name
Radius: Length = 8 (0x08)
Radius: Value (String) =
-deleted-
Radius: Type = 2 (0x02) User-Password
Radius: Length = 18 (0x12)
Radius: Value (String) =
-deleted-
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = 192.168.1.25 (0xC0A80119)
Radius: Type = 5 (0x05) NAS-Port
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0xB
Radius: Type = 61 (0x3D) NAS-Port-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x5
send pkt 192.168.1.7/1645
rip 0x42d8084 state 7 id 11
rad_vrfy() : bad req auth
rad_procpkt: radvrfy fail
RADIUS_DELETE
remove_req 0x42d8084 session 0x39 id 11
free_rip 0x42d8084
radius: send queue empty
ERROR: Authentication Server not responding: unknown
firewall#
On the Windows 2000 Domain Controller/RADIUS/IAS Server, I get the following errors:
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 681
Date: 9/21/2007
Time: 12:04:02 PM
User: NT AUTHORITY\SYSTEM
Computer: LSIADC01
Description:
The logon to account: tleroy
by: MICROSOFT_AUTHENTICATION_P
from workstation:
failed. The error code was: 3221225578
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 9/21/2007
Time: 12:04:02 PM
User: NT AUTHORITY\SYSTEM
Computer: LSIADC01
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: tleroy
Domain: LSISOLUTIONS
Logon Type: 3
Logon Process: IAS
Authentication Package: MICROSOFT_AUTHENTICATION_P
Workstation Name:
Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 9/21/2007
Time: 12:04:02 PM
User: N/A
Computer: LSIADC01
Description:
User tleroy was denied access.
Fully-Qualified-User-Name = LSISOLUTIONS\tleroy
NAS-IP-Address = 192.168.1.25
NAS-Identifier = <not present>
Called-Station-Identifier = <not present>
Calling-Station-Identifier
Client-Friendly-Name = firewall
Client-IP-Address = 192.168.1.25
NAS-Port-Type = Virtual
NAS-Port = 0
Policy-Name = <undetermined>
Authentication-Type = PAP
EAP-Type = <undetermined>
Reason-Code = 16
Reason = There was an authentication failure because of an unknown user name or a bad password.
I suspect I'm missing something on my RADIUS Server that will allow it to check Active Directory for my credentials, but I haven't figured it out yet.
Please post if you know of a tutorial, or have had a similar situation and have been able to resolve it.
Sincerely,
Ted
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.
Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
Thanks for the suggestions llyquid. When I right click on the IAS Server, I have the option of Register Service in Active Directory in Windows 2000. It said it is already authorized when I tried to do it again.
User password is not set to change at next logon.
I suspect a disconnect of some kind between the RADIUS Server and the Authentication Service. Please let me know if you can think of anything I should check along those lines.
Sincerely,
Ted
I see what the problem is:
your username should not be reported as DOMAIN\username... it should be in a sudo LDAP format like "domain.com/OU/username"
I have the same problem on another system... I can not find the answer to it wither... It is actually on this same IAS server, although the 3005 concentrator works fine, when I try to RADIUS for router authentication it fails... see the 2nd output below with my failed attempt... now we just have to figure out why there is a change in username format???
here is a output from a successful authentication for VPN from concentrator (note the format of username):
Event Type: Information
Event Source: IAS
Event Category: None
Event ID: 1
Date: 9/24/2007
Time: 12:02:25 PM
User: N/A
Computer: LBPBTS01
Description:
User celtic was granted access.
Fully-Qualified-User-Name = XXX.local/Vendors/Celtic
NAS-IP-Address = 10.XXX.XXX.254
NAS-Identifier = <not present>
Client-Friendly-Name = Cisco VPN 3005 Concentrator
Client-IP-Address = 10.XXX.XXX.254
Calling-Station-Identifier
NAS-Port-Type = Virtual
NAS-Port = 1364
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Allow VPN Access to XXX
Authentication-Type = PAP
EAP-Type = <undetermined>
*******************
Here is the failed output from attempt to logon to router: (note change in username format)
Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 9/24/2007
Time: 1:02:37 PM
User: N/A
Computer: LBPBTS01
Description:
User administrator was denied access.
Fully-Qualified-User-Name = DOMAINXXX\administrator
NAS-IP-Address = 10.XXX.XXX.1
NAS-Identifier = <not present>
Called-Station-Identifier = <not present>
Calling-Station-Identifier
Client-Friendly-Name = LBPBGW1
Client-IP-Address = 10.XXX.XXX.1
NAS-Port-Type = Virtual
NAS-Port = 8
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = <undetermined>
Authentication-Type = PAP
EAP-Type = <undetermined>
Reason-Code = 16
Reason = Authentication was not successful because an unknown user name or incorrect password was used.
I think we're on the right track. I found this M$ KB article:
http://support.microsoft.c
That had this to say:
Configure IAS Properties
1. Start the IAS snap-in. To do this, click Start, point to Programs, point to Administrative Tools, and then click Internet Authentication Service.
2. Right-click Internet Authentication Service (Local), and then click Properties.
3. In the Description box, type the friendly name that you want to call this IAS server.
4. Click to clear the Log rejected or discarded authentication requests check box if you do not want to record these events.
NOTE: You can use this log file to help you to determine if unauthorized individuals are attempting to be authenticated in the domain.
5. Click to clear the Log successful authentication requests check box if you do not want to record these events.
NOTE: You can use this log file to help you to determine usage patterns of remote users.
6. Click the RADIUS tab. Note the authentication and accounting port numbers. If your IAS server is configured behind a firewall, you may need to open these ports to allow authentication and accounting of the remote users.
7. Click the Realms tab. The Realms rules are used to define how the user identity is manipulated before the name is checked for existence. To add a Realm:a. Click Add.
b. In the Find box, type the form of the user identity that you expect to receive during an authentication attempt. In the Replace box, type the manner in which you would like to format the identity, and then click OK. For example:" To remove a realm (example: @example.com) from which an identity may originate, type @example.com in the Find box, and leave the contents of the Replace box blank.
" To replace a User Principal Name (UPN)(user@domain.com) format with that of the Universal Naming Convention (UNC)(domain.com\user) format, type (.*)@(.*) in the Find box, and then type $2\$1 in the Replace box.
" To replace domain\user with specific_domain\user, type (.*)@(.*) in the Find box, and then type specific_domain\$2 in the Replace box.
" To convert a user name to a UPN name, for example, to change user to user@domain.com, type $ in the Find box, and then type @domain.com in the Replace box.
8. When you are finished adding items to the Realm list, click OK.
9. Quit the IAS snap-in.
When I tried to follow the article, my error message changed to the following:
Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 9/24/2007
Time: 5:10:56 PM
User: N/A
Computer: LSIADC01
Description:
User tleroy was denied access.
Fully-Qualified-User-Name = $2\tleroy$2\
NAS-IP-Address = 192.168.1.25
NAS-Identifier = <not present>
Called-Station-Identifier = <not present>
Calling-Station-Identifier
Client-Friendly-Name = firewall
Client-IP-Address = 192.168.1.25
NAS-Port-Type = Virtual
NAS-Port = 26
Policy-Name = <undetermined>
Authentication-Type = PAP
EAP-Type = <undetermined>
Reason-Code = 7
Reason = The specified domain does not exist.
Now it says the domain doesn't exist instead of bad username or password.
Problem solved!!!
firewall# test aaa-server authentication InternalAuth
Server IP Address or name: 192.168.1.7
Username: Userx
Password: **************************
INFO: Attempting Authentication test to IP address <192.168.1.7> (timeout: 12 se
conds)
Follow this part of the KB article:
" To convert a user name to a UPN name, for example, to change user to user@domain.com, type $ in the Find box, and then type @domain.com in the Replace box.
Ted
INFO: Authentication Successful
firewall#
Just a FYI note for other readers... mine is running on w2K3 server, and to edit the realms you have to go to a different spot, there is no realms tab on the properties of the IAS server:
Examples for manipulation of the realm name in the User-Name attribute
The following examples describe the use of the pattern matching syntax to manipulate realm names for the User-Name attribute, which is located on the Attribute tab in the properties of a connection request policy. For more information, see To configure attribute manipulation.
To remove the realm portion of the User-Name attribute
In the outsourced dial scenario, the Internet service provider (ISP) might require a realm name to route the authentication request. However, the IAS server might not recognize the realm name portion of the user name. Therefore, the realm name must be removed before it is forwarded to the IAS server.
Find: @microsoft\.com
Replace:
To replace user@example.microsoft.com
Find: (.*)@(.*)
Replace: $2\$1
To replace domain\user with specific_domain\user
Find: (.*)\\(.*)
Replace: specific_domain\$2
To replace user with user@specific_domain
Find: $
Replace: @specific_domain
llyquid,
Thanks for all the help, and for the 2k3 procedures. I'm not sure why it's being funky. I tried both RADIUS Standard and Cisco RADIUS and got the same results.
It was in Internet Authentication Service, Clients folder. Right click on your client name, select properties, under Client-Vendor, there are options for other readers.
Do you know of a way to make this process more secure? I'd like the ASA to have a PKI certificate issued by my Win2k Certificate Authority, and use that to authenticate to the server during RADIUS transactions. It's working for now, but it seems pretty wide open on the RADIUS side. It's kind of secure in that I had to authorize the firewall as a client and there's a shared secret, but it seems like PKI is a lot more secure. I also had to allow ppp clients to connect without negotiating any authentication method and unencrypted authentication (PAP, SPAP) in the dial-in profile.
What are your thoughts?
Ted
I guess you would have to build an IPSEC tunnel between the server and each of the routers and specify that only Radius traffic come over the tunnel.... otherwise you could try the message authenticator attribute:
http://technet2.microsoft.
I have the same issue and tried the all the steps above but still not working. Following is what I get when successful
User tst@example.com was granted access.
Fully-Qualified-User-Name = example.com/OU/tst
NAS-IP-Address = 192.168.240.6
NAS-Identifier = <not present>
Client-Friendly-Name = PIX
Client-IP-Address = 192.168.240.66
Calling-Station-Identifier
NAS-Port-Type = Virtual
NAS-Port = 324
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = PIX
Authentication-Type = PAP
EAP-Type = <undetermined>
Following when unsuccessful
User test1@example.com was denied access.
Fully-Qualified-User-Name = example\test1
NAS-IP-Address = 192.168.240.6
NAS-Identifier = <not present>
Client-Friendly-Name = PIX
Client-IP-Address = 192.168.240.66
Calling-Station-Identifier
NAS-Port-Type = Virtual
NAS-Port = 324
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = PIX
Authentication-Type = PAP
EAP-Type = <undetermined>
I'm the same as you davbouchard.
The event viewer output is like this:
Fully-Qualified-User-Name = Domain name\username
Whenever I try and connect as a client I get an error in the event viewer saying: There was an authentication failure of an unknown username or a bad password
Have you found a solution??
Business Accounts
Answer for Membership
by: llyquidPosted on 2007-09-21 at 17:07:36ID: 19939945
make sure the IAS server is Authoirized in the domain... you have to right click on the server and piock authorize from the IAS msc applet... also t possible the users passowrd is set to change a next logon?