Cisco 413 Error When clients try to login

Posted on 2004-10-07
Last Modified: 2013-11-16
I have just set up our cisco 506 pix and have enbale vpn connections.

I can access the router but when the network login (Cisco Client) box comes up and challenges for username and password, my users keep getting the following error.  Have I missed a step?  My users have permission to access our domain through VPN.  I am using PDM.  Can someone help?


Question by:rmefford
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 6

Author Comment

ID: 12248367
Here is some more information...

The user accounts that the VPN client challenges for should be the users username and domain does the firewall know to check the username and password against the domain?  How does this occur?

Below are the results of my show run command:

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXX encrypted
passwd xxxxxxxxx encrypted
domain-name companyname
fixup protocol dns maximum-length 1500
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
no fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list outside_access_in permit tcp any host 70.XXX.XXX.195 eq https
access-list outside_access_in permit tcp any host 70.XXX.XXX.195 eq www
access-list outside_access_in permit tcp any host 70.XXX.XXX.195 eq smtp
access-list inside_outbound_nat0_acl permit ip any
access-list outside_cryptomap_dyn_20 permit ip any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 70.XXX.XXX.195
ip address inside
ip audit info action alarm
ip audit attack action alarm
ip local pool smartvpnaddress
pdm location inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0 0
static (inside,outside) tcp 70.XXX.XXX.195 www www netmask 0 0
static (inside,outside) tcp 70.XXX.XXX.195 https https netmask 0 0
static (inside,outside) tcp 70.XXX.XXX.195 smtp smtp netmask 0 0
access-group outside_access_in in interface outside
route outside 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server smartcomvpn protocol tacacs+
aaa-server smartcomvpn (inside) host smartcom timeout 10
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication smartcomvpn
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup company address-pool smartvpnaddress
vpngroup company dns-server
vpngroup company wins-server
vpngroup company default-domain smartcomtech
vpngroup company idle-time 1800
vpngroup company authentication-server smartcomvpn
vpngroup company user-authentication
vpngroup company device-pass-through
vpngroup company password ********
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address inside
dhcpd dns 24.XXX.XXX.219 24.XXX.XXX.218
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username xxxxx password xxxxxxx encrypted privilege XX
username xxxxx password xxxxxxx encrypted privilege XX
terminal width 80
: end

Author Comment

ID: 12249670
Okay, I think I have figured it out...but now my only real questions is how do I get my client to authenticate against the domain user list.  I want my users to use the same password on the VPN client as they do on the network.

LVL 79

Expert Comment

ID: 12250412
This would be a function in your Tacacs+ server. What version ACS are you using?

You might alternatively try using Microsoft's own Radius server which hooks right into your AD domain..

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users


Author Comment

ID: 12252568

Thanks for the help.  I am not sure what you mean by ACS?  VPN Client software is 4.0.4.  I would prefer to continue using the VPN Cisco Client b/c that is what our other vendors are using.  

When you say it is a function of Tacacs+ server, can you explain?  Do you I need to tell it what server (Domain Controller) to point it too?  What is the command to get this to work, or can I use PDM to make the changes.

LVL 79

Accepted Solution

lrmoore earned 500 total points
ID: 12253528
These commands:
  >aaa-server smartcomvpn protocol tacacs+
  >aaa-server smartcomvpn (inside) host smartcom timeout 10
  >vpngroup company authentication-server smartcomvpn

Together, they identify your TACACS+ server (Cisco ACS server, I presume) that will do the authentication, and then require vpn clients to get authenticated via this TACACS+ server.
In the ACS server, you have an option to use Domain authentication and you input the domain controller information.
There is nothing in the PIX / PDM where you can change that.

The client software is irrelevent. Cisco 4.0.4 client will work perfectly well.

If, however, you do not have Cisco ACS TACACS server at all, you have an option to change it to Radius authentication and use Microsoft Windows 2000/2003 IAS radius server...

Step by step for both the server and the PIX:


Author Comment

ID: 12261385
Okay, thanks for the help so far...

TACACS+ server = is this something that I need to purchase seperate from my Cisco 506 or 2003 Server?

Everytime I run the VPN setup wizard on my 2003 server all of my users immediately lose access to the network server.  Why is that?

LVL 79

Expert Comment

ID: 12261499
>TACACS+ server = is this something that I need to purchase seperate from my Cisco 506 or 2003 Server?

Yes, and it is very expensive - UNLESS you want to just use the Windows2003 IAS that you already have.

>Everytime I run the VPN setup wizard on my 2003 server all of my users immediately lose access to the network server.  Why is that?
This is something for a new post in the Windows 2003 server topic area. Let's get you over this first hurdle here...

Author Comment

ID: 12261677

Thanks so far.   Well I have installed the IAS I even need to turn on VPN access to the server?  I suppose that is a dumb quesiont but...I better ask.
LVL 79

Expert Comment

ID: 12261921
You do not have to enable VPN on the server for this part to work...

LVL 79

Expert Comment

ID: 12280497
Are you still working on this? Can we be of any more assistance?

Author Comment

ID: 12309933
Yes, I am.  

Okay, I have ISA running, but not sure how to configure it.

Also how will I tell my Routher to use Radius so that my network is authenticating user VPN request?

Your continued help is appreciated.
LVL 79

Expert Comment

ID: 12309996

Author Comment

ID: 12312431
Okay, I tried the link and attempted to follow the processes.  Is there an easy way to do this with the PDM?  I have run the wizard and I can connect via vpn from the outside, but It is still not challenging me for the network credintials.

I have IAS installed and followed along with the doc but it does seem to work.  This really has to be MUCH MUCH MUCH easier than has been so far.  Is there info I could provide you that would be useful?  

Right now I have just setup local accounts to test with on the router and that is how they are able to connect, but they they can access all areas of my network.

Author Comment

ID: 12381568
I give up...I am closing this question.

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : All lightning effects with instructions : http://www.mediaf…
Suggested Courses

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question