Hi folks,
I'm installing a Cisco ASA 5510 and I want my users to VPN in using the Cisco Client and IPSec, authenticating to a Windows 2000 RADIUS Server.
This is my first ASA install, and I'm not too skilled with Windows 2000 RADIUS/AAA. I should be able to make sure aaa authentication from the ASA to the Windows 2000 Server works. When I try to test that using the test aaa-server authentication command on the ASA, I get the following errors:
Cisco:
firewall# show debug
debug radius session
debug radius decode
firewall# test aaa-server authentication InternalAuth
Server IP Address or name: 192.168.1.7
Username: tleroy
Password: ***********
INFO: Attempting Authentication test to IP address <192.168.1.7> (timeout: 12 se
conds)
radius mkreq: 0x39
alloc_rip 0x42d8084
new request 0x39 --> 11 (0x42d8084)
got user ''
got password
add_req 0x42d8084 session 0x39 id 11
RADIUS_REQUEST
radius.c: rad_mkpkt
RADIUS packet decode (authentication request)
--------------------------
----------
--
Raw packet data (length = 64).....
-deleted-
Parsed packet data.....
Radius: Code = 1 (0x01)
Radius: Identifier = 11 (0x0B)
Radius: Length = 64 (0x0040)
Radius: Vector: 8AFB187156D7C4ADE27330A92E
CF5C65
Radius: Type = 1 (0x01) User-Name
Radius: Length = 8 (0x08)
Radius: Value (String) =
-deleted-
Radius: Type = 2 (0x02) User-Password
Radius: Length = 18 (0x12)
Radius: Value (String) =
-deleted-
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = 192.168.1.25 (0xC0A80119)
Radius: Type = 5 (0x05) NAS-Port
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0xB
Radius: Type = 61 (0x3D) NAS-Port-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x5
send pkt 192.168.1.7/1645
rip 0x42d8084 state 7 id 11
rad_vrfy() : bad req auth
rad_procpkt: radvrfy fail
RADIUS_DELETE
remove_req 0x42d8084 session 0x39 id 11
free_rip 0x42d8084
radius: send queue empty
ERROR: Authentication Server not responding: unknown
firewall#
On the Windows 2000 Domain Controller/RADIUS/IAS Server, I get the following errors:
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 681
Date: 9/21/2007
Time: 12:04:02 PM
User: NT AUTHORITY\SYSTEM
Computer: LSIADC01
Description:
The logon to account: tleroy
by: MICROSOFT_AUTHENTICATION_P
ACKAGE_V1_
0
from workstation:
failed. The error code was: 3221225578
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 9/21/2007
Time: 12:04:02 PM
User: NT AUTHORITY\SYSTEM
Computer: LSIADC01
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: tleroy
Domain: LSISOLUTIONS
Logon Type: 3
Logon Process: IAS
Authentication Package: MICROSOFT_AUTHENTICATION_P
ACKAGE_V1_
0
Workstation Name:
Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 9/21/2007
Time: 12:04:02 PM
User: N/A
Computer: LSIADC01
Description:
User tleroy was denied access.
Fully-Qualified-User-Name = LSISOLUTIONS\tleroy
NAS-IP-Address = 192.168.1.25
NAS-Identifier = <not present>
Called-Station-Identifier = <not present>
Calling-Station-Identifier
= <not present>
Client-Friendly-Name = firewall
Client-IP-Address = 192.168.1.25
NAS-Port-Type = Virtual
NAS-Port = 0
Policy-Name = <undetermined>
Authentication-Type = PAP
EAP-Type = <undetermined>
Reason-Code = 16
Reason = There was an authentication failure because of an unknown user name or a bad password.
I suspect I'm missing something on my RADIUS Server that will allow it to check Active Directory for my credentials, but I haven't figured it out yet.
Please post if you know of a tutorial, or have had a similar situation and have been able to resolve it.
Sincerely,
Ted