Go Premium for a chance to win a PS4. Enter to Win


Cisco 413 Error When clients try to login

Posted on 2004-10-07
Medium Priority
Last Modified: 2013-11-16
I have just set up our cisco 506 pix and have enbale vpn connections.

I can access the router but when the network login (Cisco Client) box comes up and challenges for username and password, my users keep getting the following error.  Have I missed a step?  My users have permission to access our domain through VPN.  I am using PDM.  Can someone help?


Question by:rmefford
  • 8
  • 6

Author Comment

ID: 12248367
Here is some more information...

The user accounts that the VPN client challenges for should be the users username and domain password...how does the firewall know to check the username and password against the domain?  How does this occur?

Below are the results of my show run command:

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXX encrypted
passwd xxxxxxxxx encrypted
hostname xxxxxxxx.com
domain-name companyname
fixup protocol dns maximum-length 1500
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
no fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list outside_access_in permit tcp any host 70.XXX.XXX.195 eq https
access-list outside_access_in permit tcp any host 70.XXX.XXX.195 eq www
access-list outside_access_in permit tcp any host 70.XXX.XXX.195 eq smtp
access-list inside_outbound_nat0_acl permit ip any
access-list outside_cryptomap_dyn_20 permit ip any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 70.XXX.XXX.195
ip address inside
ip audit info action alarm
ip audit attack action alarm
ip local pool smartvpnaddress
pdm location inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0 0
static (inside,outside) tcp 70.XXX.XXX.195 www www netmask 0 0
static (inside,outside) tcp 70.XXX.XXX.195 https https netmask 0 0
static (inside,outside) tcp 70.XXX.XXX.195 smtp smtp netmask 0 0
access-group outside_access_in in interface outside
route outside 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server smartcomvpn protocol tacacs+
aaa-server smartcomvpn (inside) host smartcom timeout 10
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication smartcomvpn
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup company address-pool smartvpnaddress
vpngroup company dns-server
vpngroup company wins-server
vpngroup company default-domain smartcomtech
vpngroup company idle-time 1800
vpngroup company authentication-server smartcomvpn
vpngroup company user-authentication
vpngroup company device-pass-through
vpngroup company password ********
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address inside
dhcpd dns 24.XXX.XXX.219 24.XXX.XXX.218
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username xxxxx password xxxxxxx encrypted privilege XX
username xxxxx password xxxxxxx encrypted privilege XX
terminal width 80
: end

Author Comment

ID: 12249670
Okay, I think I have figured it out...but now my only real questions is how do I get my client to authenticate against the domain user list.  I want my users to use the same password on the VPN client as they do on the network.

LVL 79

Expert Comment

ID: 12250412
This would be a function in your Tacacs+ server. What version ACS are you using?

You might alternatively try using Microsoft's own Radius server which hooks right into your AD domain..

Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.


Author Comment

ID: 12252568

Thanks for the help.  I am not sure what you mean by ACS?  VPN Client software is 4.0.4.  I would prefer to continue using the VPN Cisco Client b/c that is what our other vendors are using.  

When you say it is a function of Tacacs+ server, can you explain?  Do you I need to tell it what server (Domain Controller) to point it too?  What is the command to get this to work, or can I use PDM to make the changes.

LVL 79

Accepted Solution

lrmoore earned 1000 total points
ID: 12253528
These commands:
  >aaa-server smartcomvpn protocol tacacs+
  >aaa-server smartcomvpn (inside) host smartcom timeout 10
  >vpngroup company authentication-server smartcomvpn

Together, they identify your TACACS+ server (Cisco ACS server, I presume) that will do the authentication, and then require vpn clients to get authenticated via this TACACS+ server.
In the ACS server, you have an option to use Domain authentication and you input the domain controller information.
There is nothing in the PIX / PDM where you can change that.

The client software is irrelevent. Cisco 4.0.4 client will work perfectly well.

If, however, you do not have Cisco ACS TACACS server at all, you have an option to change it to Radius authentication and use Microsoft Windows 2000/2003 IAS radius server...

Step by step for both the server and the PIX:


Author Comment

ID: 12261385
Okay, thanks for the help so far...

TACACS+ server = is this something that I need to purchase seperate from my Cisco 506 or 2003 Server?

Everytime I run the VPN setup wizard on my 2003 server all of my users immediately lose access to the network server.  Why is that?

LVL 79

Expert Comment

ID: 12261499
>TACACS+ server = is this something that I need to purchase seperate from my Cisco 506 or 2003 Server?

Yes, and it is very expensive - UNLESS you want to just use the Windows2003 IAS that you already have.

>Everytime I run the VPN setup wizard on my 2003 server all of my users immediately lose access to the network server.  Why is that?
This is something for a new post in the Windows 2003 server topic area. Let's get you over this first hurdle here...

Author Comment

ID: 12261677

Thanks so far.   Well I have installed the IAS part...do I even need to turn on VPN access to the server?  I suppose that is a dumb quesiont but...I better ask.
LVL 79

Expert Comment

ID: 12261921
You do not have to enable VPN on the server for this part to work...

LVL 79

Expert Comment

ID: 12280497
Are you still working on this? Can we be of any more assistance?

Author Comment

ID: 12309933
Yes, I am.  

Okay, I have ISA running, but not sure how to configure it.

Also how will I tell my Routher to use Radius so that my network is authenticating user VPN request?

Your continued help is appreciated.
LVL 79

Expert Comment

ID: 12309996

Author Comment

ID: 12312431
Okay, I tried the link and attempted to follow the processes.  Is there an easy way to do this with the PDM?  I have run the wizard and I can connect via vpn from the outside, but It is still not challenging me for the network credintials.

I have IAS installed and followed along with the doc but it does seem to work.  This really has to be MUCH MUCH MUCH easier than has been so far.  Is there info I could provide you that would be useful?  

Right now I have just setup local accounts to test with on the router and that is how they are able to connect, but they they can access all areas of my network.

Author Comment

ID: 12381568
I give up...I am closing this question.

Featured Post

Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Suggested Courses

963 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question