Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Cisco 413 Error When clients try to login

Posted on 2004-10-07
14
Medium Priority
?
2,441 Views
Last Modified: 2013-11-16
I have just set up our cisco 506 pix and have enbale vpn connections.

I can access the router but when the network login (Cisco Client) box comes up and challenges for username and password, my users keep getting the following error.  Have I missed a step?  My users have permission to access our domain through VPN.  I am using PDM.  Can someone help?

Randy



0
Comment
Question by:rmefford
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 6
14 Comments
 

Author Comment

by:rmefford
ID: 12248367
Here is some more information...

The user accounts that the VPN client challenges for should be the users username and domain password...how does the firewall know to check the username and password against the domain?  How does this occur?

Below are the results of my show run command:

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXX encrypted
passwd xxxxxxxxx encrypted
hostname xxxxxxxx.com
domain-name companyname
fixup protocol dns maximum-length 1500
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
no fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in permit tcp any host 70.XXX.XXX.195 eq https
access-list outside_access_in permit tcp any host 70.XXX.XXX.195 eq www
access-list outside_access_in permit tcp any host 70.XXX.XXX.195 eq smtp
access-list inside_outbound_nat0_acl permit ip any 10.10.5.192 255.255.255.192
access-list outside_cryptomap_dyn_20 permit ip any 10.10.5.192 255.255.255.192
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 70.XXX.XXX.195 255.255.255.240
ip address inside 10.10.5.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool smartvpnaddress 10.10.5.201-10.1.5.245
pdm location 10.10.5.20 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 70.XXX.XXX.195 www 10.10.5.20 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 70.XXX.XXX.195 https 10.10.5.20 https netmask 255.255.255.255 0 0
static (inside,outside) tcp 70.XXX.XXX.195 smtp 10.10.5.20 smtp netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 70.60.63.193 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server smartcomvpn protocol tacacs+
aaa-server smartcomvpn (inside) host 10.1.5.20 smartcom timeout 10
http server enable
http 10.10.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication smartcomvpn
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup company address-pool smartvpnaddress
vpngroup company dns-server 10.10.5.20
vpngroup company wins-server 10.10.5.20
vpngroup company default-domain smartcomtech
vpngroup company idle-time 1800
vpngroup company authentication-server smartcomvpn
vpngroup company user-authentication
vpngroup company device-pass-through
vpngroup company password ********
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.10.5.51-10.1.5.250 inside
dhcpd dns 24.XXX.XXX.219 24.XXX.XXX.218
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username xxxxx password xxxxxxx encrypted privilege XX
username xxxxx password xxxxxxx encrypted privilege XX
terminal width 80
Cryptochecksum:864c7ca3044ef7c91b4641a828a03838
: end
0
 

Author Comment

by:rmefford
ID: 12249670
Okay, I think I have figured it out...but now my only real questions is how do I get my client to authenticate against the domain user list.  I want my users to use the same password on the VPN client as they do on the network.

Randy
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12250412
This would be a function in your Tacacs+ server. What version ACS are you using?

You might alternatively try using Microsoft's own Radius server which hooks right into your AD domain..

0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 

Author Comment

by:rmefford
ID: 12252568
Irmoore,

Thanks for the help.  I am not sure what you mean by ACS?  VPN Client software is 4.0.4.  I would prefer to continue using the VPN Cisco Client b/c that is what our other vendors are using.  

When you say it is a function of Tacacs+ server, can you explain?  Do you I need to tell it what server (Domain Controller) to point it too?  What is the command to get this to work, or can I use PDM to make the changes.

Thanks,
Randy
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 1000 total points
ID: 12253528
These commands:
  >aaa-server smartcomvpn protocol tacacs+
  >aaa-server smartcomvpn (inside) host 10.1.5.20 smartcom timeout 10
  >vpngroup company authentication-server smartcomvpn

Together, they identify your TACACS+ server (Cisco ACS server, I presume) that will do the authentication, and then require vpn clients to get authenticated via this TACACS+ server.
In the ACS server, you have an option to use Domain authentication and you input the domain controller information.
There is nothing in the PIX / PDM where you can change that.

The client software is irrelevent. Cisco 4.0.4 client will work perfectly well.

If, however, you do not have Cisco ACS TACACS server at all, you have an option to change it to Radius authentication and use Microsoft Windows 2000/2003 IAS radius server...

Step by step for both the server and the PIX:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml

0
 

Author Comment

by:rmefford
ID: 12261385
Okay, thanks for the help so far...

TACACS+ server = is this something that I need to purchase seperate from my Cisco 506 or 2003 Server?

Everytime I run the VPN setup wizard on my 2003 server all of my users immediately lose access to the network server.  Why is that?

Thanks,
Randy
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12261499
>TACACS+ server = is this something that I need to purchase seperate from my Cisco 506 or 2003 Server?

Yes, and it is very expensive - UNLESS you want to just use the Windows2003 IAS that you already have.

>Everytime I run the VPN setup wizard on my 2003 server all of my users immediately lose access to the network server.  Why is that?
This is something for a new post in the Windows 2003 server topic area. Let's get you over this first hurdle here...
0
 

Author Comment

by:rmefford
ID: 12261677
Irmoore,

Thanks so far.   Well I have installed the IAS part...do I even need to turn on VPN access to the server?  I suppose that is a dumb quesiont but...I better ask.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12261921
You do not have to enable VPN on the server for this part to work...

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12280497
Are you still working on this? Can we be of any more assistance?
0
 

Author Comment

by:rmefford
ID: 12309933
Yes, I am.  

Okay, I have ISA running, but not sure how to configure it.

Also how will I tell my Routher to use Radius so that my network is authenticating user VPN request?

Your continued help is appreciated.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12309996
0
 

Author Comment

by:rmefford
ID: 12312431
Okay, I tried the link and attempted to follow the processes.  Is there an easy way to do this with the PDM?  I have run the wizard and I can connect via vpn from the outside, but It is still not challenging me for the network credintials.

I have IAS installed and followed along with the doc but it does seem to work.  This really has to be MUCH MUCH MUCH easier than has been so far.  Is there info I could provide you that would be useful?  

Right now I have just setup local accounts to test with on the router and that is how they are able to connect, but they they can access all areas of my network.
0
 

Author Comment

by:rmefford
ID: 12381568
I give up...I am closing this question.
0

Featured Post

Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
Suggested Courses

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question