Advertisement

09.21.2007 at 11:19AM PDT, ID: 22844878
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
6.8
ERROR: Authentication Server not responding: unknown, Windows Event Log, IAS Warning, Event ID 2, authentication failure
Zones: IPSec Security Protocol, Windows 2000 Operating System, Virtual Private Networking (VPN)
Tags: ias, server, authentication
Hi folks,

I'm installing a Cisco ASA 5510 and I want my users to VPN in using the Cisco Client and IPSec, authenticating to a Windows 2000 RADIUS Server.

This is my first ASA install, and I'm not too skilled with Windows 2000 RADIUS/AAA.  I should be able to make sure aaa authentication from the ASA to the Windows 2000 Server works.  When I try to test that using the test aaa-server authentication command on the ASA, I get the following errors:

Cisco:

firewall# show debug
debug radius session
debug radius decode
firewall# test aaa-server authentication InternalAuth
Server IP Address or name: 192.168.1.7
Username: tleroy
Password: ***********
INFO: Attempting Authentication test to IP address <192.168.1.7> (timeout: 12 se
conds)
radius mkreq: 0x39
alloc_rip 0x42d8084
    new request 0x39 --> 11 (0x42d8084)
got user ''
got password
add_req 0x42d8084 session 0x39 id 11
RADIUS_REQUEST
radius.c: rad_mkpkt

RADIUS packet decode (authentication request)

--------------------------------------
Raw packet data (length = 64).....
-deleted-

Parsed packet data.....
Radius: Code = 1 (0x01)
Radius: Identifier = 11 (0x0B)
Radius: Length = 64 (0x0040)
Radius: Vector: 8AFB187156D7C4ADE27330A92ECF5C65
Radius: Type = 1 (0x01) User-Name
Radius: Length = 8 (0x08)
Radius: Value (String) =
-deleted-
Radius: Type = 2 (0x02) User-Password
Radius: Length = 18 (0x12)
Radius: Value (String) =
-deleted-
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = 192.168.1.25 (0xC0A80119)
Radius: Type = 5 (0x05) NAS-Port
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0xB
Radius: Type = 61 (0x3D) NAS-Port-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x5
send pkt 192.168.1.7/1645
rip 0x42d8084 state 7 id 11
rad_vrfy() : bad req auth
rad_procpkt: radvrfy fail
RADIUS_DELETE
remove_req 0x42d8084 session 0x39 id 11
free_rip 0x42d8084
radius: send queue empty
ERROR: Authentication Server not responding: unknown
firewall#

On the Windows 2000 Domain Controller/RADIUS/IAS Server, I get the following errors:

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      681
Date:            9/21/2007
Time:            12:04:02 PM
User:            NT AUTHORITY\SYSTEM
Computer:      LSIADC01
Description:
The logon to account: tleroy
 by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 from workstation:
 failed. The error code was: 3221225578
 
Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            9/21/2007
Time:            12:04:02 PM
User:            NT AUTHORITY\SYSTEM
Computer:      LSIADC01
Description:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      tleroy
       Domain:            LSISOLUTIONS
       Logon Type:      3
       Logon Process:      IAS
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:       

Event Type:      Warning
Event Source:      IAS
Event Category:      None
Event ID:      2
Date:            9/21/2007
Time:            12:04:02 PM
User:            N/A
Computer:      LSIADC01
Description:
User tleroy was denied access.
 Fully-Qualified-User-Name = LSISOLUTIONS\tleroy
 NAS-IP-Address = 192.168.1.25
 NAS-Identifier = <not present>
 Called-Station-Identifier = <not present>
 Calling-Station-Identifier = <not present>
 Client-Friendly-Name = firewall
 Client-IP-Address = 192.168.1.25
 NAS-Port-Type = Virtual
 NAS-Port = 0
 Policy-Name = <undetermined>
 Authentication-Type = PAP
 EAP-Type = <undetermined>
 Reason-Code = 16
 Reason = There was an authentication failure because of an unknown user name or a bad password.  

I suspect I'm missing something on my RADIUS Server that will allow it to check Active Directory for my credentials, but I haven't figured it out yet.

Please post if you know of a tutorial, or have had a similar situation and have been able to resolve it.

Sincerely,

Ted
Start your free trial to view this solution
Question Stats
Zone: Networking
Question Asked By: Sma11T0wnITGuy
Solution Provided By: llyquid
Participating Experts: 1
Solution Grade: A
Views: 221
Translate:
Loading Advertisement...
09.21.2007 at 05:07PM PDT, ID: 19939945
llyquid:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
09.24.2007 at 07:02AM PDT, ID: 19948486
Sma11T0wnITGuy:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
09.24.2007 at 10:03AM PDT, ID: 19949778
llyquid:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
09.24.2007 at 02:16PM PDT, ID: 19951854
Sma11T0wnITGuy:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
09.24.2007 at 02:21PM PDT, ID: 19951884
Sma11T0wnITGuy:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
09.24.2007 at 02:44PM PDT, ID: 19952016
llyquid:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
09.24.2007 at 02:50PM PDT, ID: 19952047
llyquid:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
09.25.2007 at 07:23AM PDT, ID: 19955921
Sma11T0wnITGuy:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
09.25.2007 at 11:04AM PDT, ID: 19957664
llyquid:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
09.25.2007 at 11:56AM PDT, ID: 19958060
Sma11T0wnITGuy:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
 
Loading Advertisement...
Microsoft
  • Internet Protocols
  • Applications
  • Development
  • OS
  • Hardware
  • Windows Security
Apple
  • Operating Systems
  • Hardware
  • Programming
  • Networking
  • Software
Internet
  • Search Engines
  • File Sharing
  • WebTrends / Stats
  • Spy / Ad Blockers
  • Web Browsers
  • New Net Users
  • Web Development
  • Chat / IM
  • Anti Spam
  • Web Servers
  • Anti-Virus
  • Email Clients
Gamers
  • Tips
  • Online / MMORPG
  • Puzzle
  • Emulators
  • Action / Adventure
  • Role Playing
  • Consoles
  • Game Programming
  • Strategy
  • Sports
  • Misc
  • Computer Games
Digital Living
  • Hardware
  • New Net Users
  • New Users
  • Software
  • Digital Music
  • Gaming World
  • Home Security
  • Apple
  • Networking Hardware
Virus & Spyware
  • Vulnerabilities
  • IDS
  • Encryption
  • Anti-Virus
  • Operating Systems Security
  • Software Firewalls
  • WebApplications
  • Cell Phones
  • Operating Systems
  • Internet
  • Hardware Firewalls
Hardware
  • Handhelds / PDAs
  • Displays / Monitors
  • Components
  • Networking Hardware
  • Peripherals
  • Laptops/Notebooks
  • Storage
  • Servers
  • Desktops
  • New Users
  • Misc
  • Apple
Software
  • System Utilities
  • Industry Specific
  • Network Management
  • Photos / Graphics
  • Page Layout
  • VMWare
  • Misc
  • Web Development
  • OS
  • CYGWIN
  • Voice Recognition
  • Message Queue
  • Quality Assurance
  • Security
  • Firewalls
  • MultiMedia Applications
  • Development
  • Database
  • Office / Productivity
  • Business Management
  • OS/2 Apps
  • Server Software
  • Internet / Email
ITPro
  • OS
  • Storage
  • Encryption
  • Operating Systems Security
  • Apple Hardware
  • Laptops & Notebooks
  • Servers
  • Networking Hardware
  • Peripherals
  • Devices
  • Displays / Monitors
  • WebTrends / Stats
  • Search Engines
  • Firewalls
  • WebApplications
  • IDS
  • Vulnerabilities
  • Email Clients
  • File Sharing
  • Spy / Ad Blockers
  • Web Browsers
  • Web Servers
  • Networking
  • Anti-Virus
  • Chat / IM
  • Anti Spam
Developer
  • Web Servers
  • Web Browsers
  • Game Programming
  • Dev Tools
  • Industry Specific
  • Office / Productivity
  • Database
  • CYGWIN
  • Web Development
  • Search Engines
  • File Sharing
  • WebTrends / Stats
  • Programming
  • Content Management
  • Application Servers
  • Protocols
Storage
  • Removable Backup Media
  • Storage Technology
  • Servers
  • Grid
  • Remote Access
  • Backup / Restore
  • Misc
  • Hard Drives
OS
  • Miscellaneous
  • Security
  • Development
  • Linux
  • VMWare
  • MainFrame OS
  • Unix
  • Apple
  • OS / 2
  • AS / 400
  • BeOS
  • Microsoft
  • VMS / OpenVMS
Database
  • Oracle
  • Miscellaneous
  • MySQL
  • Software
  • Sybase
  • Contact Management
  • PostgreSQL
  • Data Manipulation
  • Clarion
  • InterSystems Cache
  • Siebel
  • MUMPS
  • OLAP
  • SQLBase
  • SAS
  • GIS & GPS
  • 4GL
  • Berkeley DB
  • DB2
  • Informix
  • Interbase / Firebird
  • FoxPro
  • Reporting
  • LDAP
  • Filemaker Pro
  • MS SQL Server
  • dBase
  • MS Access
Security
  • Misc
  • Web Browsers
  • Software Firewalls
  • Operating Systems Security
  • File Sharing
  • Spy / Ad Blockers
  • Vulnerabilities
  • WebApplications
  • IDS
  • Anti-Virus
  • Encryption
  • Anti Spam
  • Email Clients
  • VPN
  • Chat / IM
Programming
  • Editors IDEs
  • Installation
  • Handhelds / PDAs
  • Multimedia Programming
  • System / Kernel
  • Algorithms
  • Game
  • Signal Processing
  • Project Management
  • Open Source
  • Database
  • Misc
  • Languages
  • Processor Platforms
  • Theory
Web Development
  • Scripting
  • Blogs
  • Web Servers
  • Software
  • Search Engines
  • Web Graphics
  • Images
  • Internet Marketing
  • Images and Photos
  • Components
  • Document Imaging
  • Web Languages/Standards
  • Illustration
  • WebApplications
  • Fonts
  • WebTrends / Stats
  • Authoring
  • Digital Camera Software
  • Miscellaneous
Networking
  • Protocols
  • Apple Networking
  • Network Management
  • Message Queue
  • Application Servers
  • Content Management
  • File Servers
  • Email Servers
  • Misc
  • Java Editors & IDEs
  • Wireless
  • Networking Hardware
  • Backup / Restore
  • System Utilities
  • ISPs & Hosting
  • Web Servers
  • Storage Technology
  • Removable Backup Media
  • Servers
  • Broadband
  • Grid
  • OS / 2
  • Novell Netware
  • Unix Networking
  • Windows Networking
  • Security
  • Telecommunications
  • Operating Systems
  • Linux Networking
Other
  • Community Advisor
  • Lounge
  • Community Support
  • New Net Users
  • Philosophy / Religion
  • Math / Science
  • Miscellaneous
  • URLs
  • Expert Lounge
  • Politics
  • Puzzles / Riddles
Community Support
  • Suggestions
  • New to EE
  • New Topics
  • Community Advisor
  • CleanUp
  • Announcements
  • General
  • Feedback
  • Input
  • EE Bugs
 
09.21.2007 at 05:07PM PDT, ID: 19939945
llyquid:
make sure the IAS server is Authoirized in the domain...  you have to right click on the server and piock authorize from the IAS msc applet...    also t possible the users passowrd is set to change a next logon?
 
09.24.2007 at 07:02AM PDT, ID: 19948486
Sma11T0wnITGuy:
Thanks for the suggestions llyquid.  When I right click on the IAS Server, I have the option of Register Service in Active Directory in Windows 2000.  It said it is already authorized when I tried to do it again.

User password is not set to change at next logon.  

I suspect a disconnect of some kind between the RADIUS Server and the Authentication Service.  Please let me know if you can think of anything I should check along those lines.

Sincerely,

Ted
 
09.24.2007 at 10:03AM PDT, ID: 19949778
llyquid:
I see what the problem is:

your username should not be reported as DOMAIN\username...  it should be in a sudo LDAP format like "domain.com/OU/username"

I have the same problem on another system...  I can not find the answer to it wither...   It is actually on this same IAS server,   although the 3005 concentrator works fine,  when I try to RADIUS for router authentication it fails...  see the 2nd output below with my failed attempt...  now we just have to figure out why there is a change in username format???

here is a output from a successful authentication for VPN from concentrator (note the format of username):

Event Type:      Information
Event Source:      IAS
Event Category:      None
Event ID:      1
Date:            9/24/2007
Time:            12:02:25 PM
User:            N/A
Computer:      LBPBTS01
Description:
User celtic was granted access.
 Fully-Qualified-User-Name = XXX.local/Vendors/Celtic
 NAS-IP-Address = 10.XXX.XXX.254
 NAS-Identifier = <not present>
 Client-Friendly-Name = Cisco VPN 3005 Concentrator
 Client-IP-Address = 10.XXX.XXX.254
 Calling-Station-Identifier = 67.XXX.XXX.XXX
 NAS-Port-Type = Virtual
 NAS-Port = 1364
 Proxy-Policy-Name = Use Windows authentication for all users
 Authentication-Provider = Windows
 Authentication-Server = <undetermined>
 Policy-Name = Allow VPN Access to XXX
 Authentication-Type = PAP
 EAP-Type = <undetermined>


*******************


Here is the failed output from attempt to logon to router:   (note change in username format)

Event Type:      Warning
Event Source:      IAS
Event Category:      None
Event ID:      2
Date:            9/24/2007
Time:            1:02:37 PM
User:            N/A
Computer:      LBPBTS01
Description:
User administrator was denied access.
 Fully-Qualified-User-Name = DOMAINXXX\administrator
 NAS-IP-Address = 10.XXX.XXX.1
 NAS-Identifier = <not present>
 Called-Station-Identifier = <not present>
 Calling-Station-Identifier = 10.XXX.XXX.10
 Client-Friendly-Name = LBPBGW1
 Client-IP-Address = 10.XXX.XXX.1
 NAS-Port-Type = Virtual
 NAS-Port = 8
 Proxy-Policy-Name = Use Windows authentication for all users
 Authentication-Provider = Windows
 Authentication-Server = <undetermined>
 Policy-Name = <undetermined>
 Authentication-Type = PAP
 EAP-Type = <undetermined>
 Reason-Code = 16
 Reason = Authentication was not successful because an unknown user name or incorrect password was used.

 
09.24.2007 at 02:16PM PDT, ID: 19951854
Sma11T0wnITGuy:
I think we're on the right track.  I found this M$ KB article:

http://support.microsoft.com/kb/317588

That had this to say:

Configure IAS Properties
1. Start the IAS snap-in. To do this, click Start, point to Programs, point to Administrative Tools, and then click Internet Authentication Service.
2. Right-click Internet Authentication Service (Local), and then click Properties.
3. In the Description box, type the friendly name that you want to call this IAS server.  
4. Click to clear the Log rejected or discarded authentication requests check box if you do not want to record these events.
NOTE: You can use this log file to help you to determine if unauthorized individuals are attempting to be authenticated in the domain.
5. Click to clear the Log successful authentication requests check box if you do not want to record these events.
NOTE: You can use this log file to help you to determine usage patterns of remote users.
6. Click the RADIUS tab. Note the authentication and accounting port numbers. If your IAS server is configured behind a firewall, you may need to open these ports to allow authentication and accounting of the remote users.
7. Click the Realms tab. The Realms rules are used to define how the user identity is manipulated before the name is checked for existence. To add a Realm:a.  Click Add.
b.  In the Find box, type the form of the user identity that you expect to receive during an authentication attempt. In the Replace box, type the manner in which you would like to format the identity, and then click OK. For example:" To remove a realm (example: @example.com) from which an identity may originate, type @example.com in the Find box, and leave the contents of the Replace box blank.
" To replace a User Principal Name (UPN)(user@domain.com) format with that of the Universal Naming Convention (UNC)(domain.com\user) format, type (.*)@(.*) in the Find box, and then type $2\$1 in the Replace box.  
" To replace domain\user with specific_domain\user, type (.*)@(.*) in the Find box, and then type specific_domain\$2 in the Replace box.
" To convert a user name to a UPN name, for example, to change user to user@domain.com, type $ in the Find box, and then type @domain.com in the Replace box.
8. When you are finished adding items to the Realm list, click OK.
9. Quit the IAS snap-in.

When I tried to follow the article, my error message changed to the following:

Event Type:      Warning
Event Source:      IAS
Event Category:      None
Event ID:      2
Date:            9/24/2007
Time:            5:10:56 PM
User:            N/A
Computer:      LSIADC01
Description:
User tleroy was denied access.
 Fully-Qualified-User-Name = $2\tleroy$2\
 NAS-IP-Address = 192.168.1.25
 NAS-Identifier = <not present>
 Called-Station-Identifier = <not present>
 Calling-Station-Identifier = <not present>
 Client-Friendly-Name = firewall
 Client-IP-Address = 192.168.1.25
 NAS-Port-Type = Virtual
 NAS-Port = 26
 Policy-Name = <undetermined>
 Authentication-Type = PAP
 EAP-Type = <undetermined>
 Reason-Code = 7
 Reason = The specified domain does not exist.  

Now it says the domain doesn't exist instead of bad username or password.
 
09.24.2007 at 02:21PM PDT, ID: 19951884
Sma11T0wnITGuy:
Problem solved!!!

firewall# test aaa-server authentication InternalAuth
Server IP Address or name: 192.168.1.7
Username: Userx
Password: **********************************************
INFO: Attempting Authentication test to IP address <192.168.1.7> (timeout: 12 se
conds)

Follow this part of the KB article:

" To convert a user name to a UPN name, for example, to change user to user@domain.com, type $ in the Find box, and then type @domain.com in the Replace box.


Ted
INFO: Authentication Successful
firewall#
 
09.24.2007 at 02:44PM PDT, ID: 19952016
llyquid:
yes,  this fixed my router login problem also...   I wonder what causes it to format the name wrong...  IAS usually works for me with RADIUS without having to change these settings....   but every once in a while I will get a cisco device that I guess requires the realm formatting...  
 
09.24.2007 at 02:50PM PDT, ID: 19952047
llyquid:
Just a FYI note for other readers...  mine is running on w2K3 server,   and to edit the realms you have to go to a different spot,  there is no realms tab on the properties of the IAS server:

Examples for manipulation of the realm name in the User-Name attribute
The following examples describe the use of the pattern matching syntax to manipulate realm names for the User-Name attribute, which is located on the Attribute tab in the properties of a connection request policy. For more information, see To configure attribute manipulation.

To remove the realm portion of the User-Name attribute
In the outsourced dial scenario, the Internet service provider (ISP) might require a realm name to route the authentication request. However, the IAS server might not recognize the realm name portion of the user name. Therefore, the realm name must be removed before it is forwarded to the IAS server.

Find: @microsoft\.com
Replace:
To replace user@example.microsoft.com with example.microsoft.com\user
Find: (.*)@(.*)
Replace: $2\$1
To replace domain\user with specific_domain\user
Find: (.*)\\(.*)
Replace: specific_domain\$2
To replace user with user@specific_domain
Find: $
Replace: @specific_domain
 
09.25.2007 at 07:23AM PDT, ID: 19955921
Sma11T0wnITGuy:
llyquid,

Thanks for all the help, and for the 2k3 procedures.  I'm not sure why it's being funky.  I tried both RADIUS Standard and Cisco RADIUS and got the same results.  

It was in Internet Authentication Service, Clients folder.  Right click on your client name, select properties, under Client-Vendor, there are options for other readers.

Do you know of a way to make this process more secure?  I'd like the ASA to have a PKI certificate issued by my Win2k Certificate Authority, and use that to authenticate to the server during RADIUS transactions.  It's working for now, but it seems pretty wide open on the RADIUS side.  It's kind of secure in that I had to authorize the firewall as a client and there's a shared secret, but it seems like PKI is a lot more secure.  I also had to allow ppp clients to connect without negotiating any authentication method and unencrypted authentication (PAP, SPAP) in the dial-in profile.

What are your thoughts?

Ted
 
09.25.2007 at 11:04AM PDT, ID: 19957664
llyquid:
I guess you would have to build an IPSEC tunnel between the server and each of the routers and specify that only Radius traffic come over the tunnel....   otherwise you could try the message authenticator attribute:

http://technet2.microsoft.com/windowsserver/en/library/465c2da9-d0d0-4ba8-a2ff-1c9e50db84ce1033.mspx?mfr=true

Accepted Solution
 
09.25.2007 at 11:56AM PDT, ID: 19958060
Sma11T0wnITGuy:
Very cool.  Thanks!

Ted
 
 
20080236-EE-VQP-29 / EE_QW_2_20070628