Solved

Cisco 413 Error When clients try to login

Posted on 2004-10-07
14
2,415 Views
Last Modified: 2013-11-16
I have just set up our cisco 506 pix and have enbale vpn connections.

I can access the router but when the network login (Cisco Client) box comes up and challenges for username and password, my users keep getting the following error.  Have I missed a step?  My users have permission to access our domain through VPN.  I am using PDM.  Can someone help?

Randy



0
Comment
Question by:rmefford
  • 8
  • 6
14 Comments
 

Author Comment

by:rmefford
Comment Utility
Here is some more information...

The user accounts that the VPN client challenges for should be the users username and domain password...how does the firewall know to check the username and password against the domain?  How does this occur?

Below are the results of my show run command:

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXX encrypted
passwd xxxxxxxxx encrypted
hostname xxxxxxxx.com
domain-name companyname
fixup protocol dns maximum-length 1500
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
no fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in permit tcp any host 70.XXX.XXX.195 eq https
access-list outside_access_in permit tcp any host 70.XXX.XXX.195 eq www
access-list outside_access_in permit tcp any host 70.XXX.XXX.195 eq smtp
access-list inside_outbound_nat0_acl permit ip any 10.10.5.192 255.255.255.192
access-list outside_cryptomap_dyn_20 permit ip any 10.10.5.192 255.255.255.192
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 70.XXX.XXX.195 255.255.255.240
ip address inside 10.10.5.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool smartvpnaddress 10.10.5.201-10.1.5.245
pdm location 10.10.5.20 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 70.XXX.XXX.195 www 10.10.5.20 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 70.XXX.XXX.195 https 10.10.5.20 https netmask 255.255.255.255 0 0
static (inside,outside) tcp 70.XXX.XXX.195 smtp 10.10.5.20 smtp netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 70.60.63.193 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server smartcomvpn protocol tacacs+
aaa-server smartcomvpn (inside) host 10.1.5.20 smartcom timeout 10
http server enable
http 10.10.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication smartcomvpn
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup company address-pool smartvpnaddress
vpngroup company dns-server 10.10.5.20
vpngroup company wins-server 10.10.5.20
vpngroup company default-domain smartcomtech
vpngroup company idle-time 1800
vpngroup company authentication-server smartcomvpn
vpngroup company user-authentication
vpngroup company device-pass-through
vpngroup company password ********
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.10.5.51-10.1.5.250 inside
dhcpd dns 24.XXX.XXX.219 24.XXX.XXX.218
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username xxxxx password xxxxxxx encrypted privilege XX
username xxxxx password xxxxxxx encrypted privilege XX
terminal width 80
Cryptochecksum:864c7ca3044ef7c91b4641a828a03838
: end
0
 

Author Comment

by:rmefford
Comment Utility
Okay, I think I have figured it out...but now my only real questions is how do I get my client to authenticate against the domain user list.  I want my users to use the same password on the VPN client as they do on the network.

Randy
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
This would be a function in your Tacacs+ server. What version ACS are you using?

You might alternatively try using Microsoft's own Radius server which hooks right into your AD domain..

0
 

Author Comment

by:rmefford
Comment Utility
Irmoore,

Thanks for the help.  I am not sure what you mean by ACS?  VPN Client software is 4.0.4.  I would prefer to continue using the VPN Cisco Client b/c that is what our other vendors are using.  

When you say it is a function of Tacacs+ server, can you explain?  Do you I need to tell it what server (Domain Controller) to point it too?  What is the command to get this to work, or can I use PDM to make the changes.

Thanks,
Randy
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
Comment Utility
These commands:
  >aaa-server smartcomvpn protocol tacacs+
  >aaa-server smartcomvpn (inside) host 10.1.5.20 smartcom timeout 10
  >vpngroup company authentication-server smartcomvpn

Together, they identify your TACACS+ server (Cisco ACS server, I presume) that will do the authentication, and then require vpn clients to get authenticated via this TACACS+ server.
In the ACS server, you have an option to use Domain authentication and you input the domain controller information.
There is nothing in the PIX / PDM where you can change that.

The client software is irrelevent. Cisco 4.0.4 client will work perfectly well.

If, however, you do not have Cisco ACS TACACS server at all, you have an option to change it to Radius authentication and use Microsoft Windows 2000/2003 IAS radius server...

Step by step for both the server and the PIX:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml

0
 

Author Comment

by:rmefford
Comment Utility
Okay, thanks for the help so far...

TACACS+ server = is this something that I need to purchase seperate from my Cisco 506 or 2003 Server?

Everytime I run the VPN setup wizard on my 2003 server all of my users immediately lose access to the network server.  Why is that?

Thanks,
Randy
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
>TACACS+ server = is this something that I need to purchase seperate from my Cisco 506 or 2003 Server?

Yes, and it is very expensive - UNLESS you want to just use the Windows2003 IAS that you already have.

>Everytime I run the VPN setup wizard on my 2003 server all of my users immediately lose access to the network server.  Why is that?
This is something for a new post in the Windows 2003 server topic area. Let's get you over this first hurdle here...
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:rmefford
Comment Utility
Irmoore,

Thanks so far.   Well I have installed the IAS part...do I even need to turn on VPN access to the server?  I suppose that is a dumb quesiont but...I better ask.
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
You do not have to enable VPN on the server for this part to work...

0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Are you still working on this? Can we be of any more assistance?
0
 

Author Comment

by:rmefford
Comment Utility
Yes, I am.  

Okay, I have ISA running, but not sure how to configure it.

Also how will I tell my Routher to use Radius so that my network is authenticating user VPN request?

Your continued help is appreciated.
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
0
 

Author Comment

by:rmefford
Comment Utility
Okay, I tried the link and attempted to follow the processes.  Is there an easy way to do this with the PDM?  I have run the wizard and I can connect via vpn from the outside, but It is still not challenging me for the network credintials.

I have IAS installed and followed along with the doc but it does seem to work.  This really has to be MUCH MUCH MUCH easier than has been so far.  Is there info I could provide you that would be useful?  

Right now I have just setup local accounts to test with on the router and that is how they are able to connect, but they they can access all areas of my network.
0
 

Author Comment

by:rmefford
Comment Utility
I give up...I am closing this question.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now