Cisco 413 Error When clients try to login

I have just set up our cisco 506 pix and have enbale vpn connections.

I can access the router but when the network login (Cisco Client) box comes up and challenges for username and password, my users keep getting the following error.  Have I missed a step?  My users have permission to access our domain through VPN.  I am using PDM.  Can someone help?


Who is Participating?
These commands:
  >aaa-server smartcomvpn protocol tacacs+
  >aaa-server smartcomvpn (inside) host smartcom timeout 10
  >vpngroup company authentication-server smartcomvpn

Together, they identify your TACACS+ server (Cisco ACS server, I presume) that will do the authentication, and then require vpn clients to get authenticated via this TACACS+ server.
In the ACS server, you have an option to use Domain authentication and you input the domain controller information.
There is nothing in the PIX / PDM where you can change that.

The client software is irrelevent. Cisco 4.0.4 client will work perfectly well.

If, however, you do not have Cisco ACS TACACS server at all, you have an option to change it to Radius authentication and use Microsoft Windows 2000/2003 IAS radius server...

Step by step for both the server and the PIX:

rmeffordAuthor Commented:
Here is some more information...

The user accounts that the VPN client challenges for should be the users username and domain does the firewall know to check the username and password against the domain?  How does this occur?

Below are the results of my show run command:

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXX encrypted
passwd xxxxxxxxx encrypted
domain-name companyname
fixup protocol dns maximum-length 1500
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
no fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list outside_access_in permit tcp any host 70.XXX.XXX.195 eq https
access-list outside_access_in permit tcp any host 70.XXX.XXX.195 eq www
access-list outside_access_in permit tcp any host 70.XXX.XXX.195 eq smtp
access-list inside_outbound_nat0_acl permit ip any
access-list outside_cryptomap_dyn_20 permit ip any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 70.XXX.XXX.195
ip address inside
ip audit info action alarm
ip audit attack action alarm
ip local pool smartvpnaddress
pdm location inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0 0
static (inside,outside) tcp 70.XXX.XXX.195 www www netmask 0 0
static (inside,outside) tcp 70.XXX.XXX.195 https https netmask 0 0
static (inside,outside) tcp 70.XXX.XXX.195 smtp smtp netmask 0 0
access-group outside_access_in in interface outside
route outside 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server smartcomvpn protocol tacacs+
aaa-server smartcomvpn (inside) host smartcom timeout 10
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication smartcomvpn
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup company address-pool smartvpnaddress
vpngroup company dns-server
vpngroup company wins-server
vpngroup company default-domain smartcomtech
vpngroup company idle-time 1800
vpngroup company authentication-server smartcomvpn
vpngroup company user-authentication
vpngroup company device-pass-through
vpngroup company password ********
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address inside
dhcpd dns 24.XXX.XXX.219 24.XXX.XXX.218
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username xxxxx password xxxxxxx encrypted privilege XX
username xxxxx password xxxxxxx encrypted privilege XX
terminal width 80
: end
rmeffordAuthor Commented:
Okay, I think I have figured it out...but now my only real questions is how do I get my client to authenticate against the domain user list.  I want my users to use the same password on the VPN client as they do on the network.

Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

This would be a function in your Tacacs+ server. What version ACS are you using?

You might alternatively try using Microsoft's own Radius server which hooks right into your AD domain..

rmeffordAuthor Commented:

Thanks for the help.  I am not sure what you mean by ACS?  VPN Client software is 4.0.4.  I would prefer to continue using the VPN Cisco Client b/c that is what our other vendors are using.  

When you say it is a function of Tacacs+ server, can you explain?  Do you I need to tell it what server (Domain Controller) to point it too?  What is the command to get this to work, or can I use PDM to make the changes.

rmeffordAuthor Commented:
Okay, thanks for the help so far...

TACACS+ server = is this something that I need to purchase seperate from my Cisco 506 or 2003 Server?

Everytime I run the VPN setup wizard on my 2003 server all of my users immediately lose access to the network server.  Why is that?

>TACACS+ server = is this something that I need to purchase seperate from my Cisco 506 or 2003 Server?

Yes, and it is very expensive - UNLESS you want to just use the Windows2003 IAS that you already have.

>Everytime I run the VPN setup wizard on my 2003 server all of my users immediately lose access to the network server.  Why is that?
This is something for a new post in the Windows 2003 server topic area. Let's get you over this first hurdle here...
rmeffordAuthor Commented:

Thanks so far.   Well I have installed the IAS I even need to turn on VPN access to the server?  I suppose that is a dumb quesiont but...I better ask.
You do not have to enable VPN on the server for this part to work...

Are you still working on this? Can we be of any more assistance?
rmeffordAuthor Commented:
Yes, I am.  

Okay, I have ISA running, but not sure how to configure it.

Also how will I tell my Routher to use Radius so that my network is authenticating user VPN request?

Your continued help is appreciated.
rmeffordAuthor Commented:
Okay, I tried the link and attempted to follow the processes.  Is there an easy way to do this with the PDM?  I have run the wizard and I can connect via vpn from the outside, but It is still not challenging me for the network credintials.

I have IAS installed and followed along with the doc but it does seem to work.  This really has to be MUCH MUCH MUCH easier than has been so far.  Is there info I could provide you that would be useful?  

Right now I have just setup local accounts to test with on the router and that is how they are able to connect, but they they can access all areas of my network.
rmeffordAuthor Commented:
I give up...I am closing this question.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.