Solved

PIX VPN authentication over AD 2000 Domain. Getting "auth" errors on PIX.

Posted on 2004-10-14
12
295 Views
Last Modified: 2013-11-16
I have set up our PIX and IAS server per instruction from CISCO:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml

But when I try to connect from home on the home Windows side it is getting the " Verifying User Name and Password", then times out.
When I look in the PIX logs, I see the following entries: ( xip.home.140.82 < - ip at home and xvpn.ip.26.194 <-outside ip on PIX )

"...
24941      10/13/2004 7:11:02 PM      Oct 13 19:09:06      local4      Information      #PIX-6-109002:      Auth from 0.0.0.0/0 to 10.1.1.39/0 failed (server 192.168.100.55 failed) on interface outside      
..."
"...
25160      10/13/2004 7:12:52 PM      Oct 13 19:10:56      local4      Information      #PIX-6-603105:      PPTP Tunnel deleted, tunnel_id = 30, remote_peer_ip = xip.home.140.82      
25159      10/13/2004 7:12:52 PM      Oct 13 19:10:56      local4      Information      #PIX-6-603104:      PPTP Tunnel created, tunnel_id is 30, remote_peer_ip is xip.home.140.82, ppp_virtual_interface_id is 5, client_dynamic_ip is 0.0.0.0, username is , MPPE_key_strength is None
..."
"...
24750      10/13/2004 7:09:31 PM      Oct 13 19:07:35      local4      Debug      #PIX-7-710002:      TCP access permitted from xip.home.140.82/1527 to outside:xvpn.ip.26.194/pptp      
24749      10/13/2004 7:09:31 PM      Oct 13 19:07:35      local4      Debug      #PIX-7-710001:      TCP access requested from xip.home.140.82/1527 to outside:xvpn.ip.26.194/pptp      
23882      10/13/2004 7:05:24 PM      Oct 13 19:03:28      local4      Debug      #PIX-7-710005:      TCP request discarded from xip.home.140.82/1522 to outside:xvpn.ip.26.194/pptp
..."


There was already a discussiong about this here,[ http://www.experts-exchange.com/Security/Firewalls/Q_20930453.html?query=pix+vpn+active+directory&clearTAFilter=true ] but They didn't have the same problems.

I am using PPTP at home and when I try L2TP it doesn't connect at all, not event to the IP address.

Anything you can suggest is appriciated.
0
Comment
Question by:pwslgl
  • 7
  • 5
12 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12307872
Those instructions are particular to using the Cisco VPN client. Since you are using Microsoft PPTP client, your configuration will be different.

Do you have a line like this:

vpdn group 1 client authentication partnerauth

Reference:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080093f89.shtml
0
 

Author Comment

by:pwslgl
ID: 12308178
Mine is set to the following:

vpdn group vpn5000 accept dialin pptp
vpdn group vpn5000 ppp authentication chap
vpdn group vpn5000 ppp authentication mschap
vpdn group vpn5000 client configuration address local solpool
vpdn group vpn5000 client configuration dns 192.168.100.54 192.168.100.55
vpdn group vpn5000 client configuration wins 192.168.100.54 192.168.100.55
vpdn group vpn5000 client authentication aaa RADIUS
vpdn group vpn5000 pptp echo 45
vpdn enable outside



0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12308335
I don't see where you specify MPPE encrytion, and

"PIX Firewall PPTP VPN supports standard PPP CCP negotiations with Microsoft Point-To-Point Encryption (MPPE) extensions using RSA/RC4 algorithm. MPPE currently supports 40-bit and 128-bit session keys. MPPE generates an initial key during user authentication and refreshes the key regularly. In this release, compression is not supported.

When you specify MPPE, you must use the MS-CHAP PPP authentication protocol. If you are using an external AAA server, the protocol must be RADIUS and the external RADIUS server must be able to return the Microsoft MSCHAP_MPPE_KEY attribute to the PIX Firewall in the RADIUS Authentication Accept packet. See RFC 2548, "Microsoft Vendor Specific RADIUS Attributes," for more information on the MSCHAP_MPPE_KEY attribute. "

More reference and config examples here:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/tz.htm#wp1083965

I'd have to see the complete config to be of much more help..
0
 

Author Comment

by:pwslgl
ID: 12308644
Here is the rest of the vpn-related config:
__________BEGIN________________

ip local pool solpool 10.1.1.1-10.1.1.254
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.100.55 **key** timeout 45
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host 192.168.100.55 **key** timeout 5

sysopt connection permit-ipsec
sysopt connection permit-pptp

vpdn group vpn5000 accept dialin pptp
vpdn group vpn5000 ppp authentication chap
vpdn group vpn5000 ppp authentication mschap
vpdn group vpn5000 ppp encryption mppe 40
vpdn group vpn5000 client configuration address local solpool
vpdn group vpn5000 client configuration dns 192.168.100.54 192.168.100.55
vpdn group vpn5000 client configuration wins 192.168.100.54 192.168.100.55
vpdn group vpn5000 client authentication aaa partnerauth
vpdn group vpn5000 pptp echo 60

vpdn enable outside



0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12308671
Do you have a nat-0 acl ..
   access-list nat_0 permit ip 192.168.100.0 255.255.255.0 10.1.1.0 255.255.255.0
   nat (inside) 0 access-list nat_0
0
 

Author Comment

by:pwslgl
ID: 12308873
Its there:

nat (inside) 0 access-list nonat
nat (inside) 10 0.0.0.0 0.0.0.0 0 0

access-list nonat line 19 permit ip 192.168.100.0 255.255.255.0 10.1.1.0 255.255.255.0

0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:pwslgl
ID: 12308931
Here is the entry from IAS server log:

User DOMAIN\userid was granted access.
 Fully-Qualified-User-Name = domain.net/Admins/UserID
 NAS-IP-Address = pix.intrn.ip.addrs
 NAS-Identifier = <not present>
 Client-Friendly-Name = PIX
 Client-IP-Address = pix.intrn.ip.addrs
 NAS-Port-Type = <not present>
 NAS-Port = 536
 Policy-Name = dial-in
 Authentication-Type = MS-CHAPv1
 EAP-Type = <undetermined>  


I am at a loss :)
0
 

Author Comment

by:pwslgl
ID: 12308973
Here is more information if it helps: vpdn connection while it is tying to authenticate:

pix#sh vpdn


%No active L2TP tunnels


PPTP Tunnel and Session Information (Total tunnels=1 sessions=1)


Tunnel id 43, remote id is 43, 1 active sessions
  Tunnel state is estabd, time since event change 13 secs
  remote   Internet Address home.ip, port 1095
  Local    Internet Address pix.out.ip, port 1723
  4 packets sent, 10 received, 130 bytes sent, 594 received


Call id 40 is up on tunnel id 43
Remote Internet Address is home.ip
  Session username is unknown, state is estabd
    Time since event change 13 secs, interface outside
    Remote call id is 32768
    PPP interface id is 6
    4 packets sent, 10 received, 130 bytes sent, 594 received
    Seq 5, Ack 9, Ack_Rcvd 4, peer RWS 64
    0 out of order packets
             

%No active PPPoE tunnels
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12309107
Did you setup the Radius server NAS client as "standard" radius, or as vendor-specific "cisco" ?
It should be setup for "standard"

Try changing the client authentication from MSCHAP to allow PAP and see if that makes a difference...
You also have to allow the pap auth in the vpdn config...


0
 

Author Comment

by:pwslgl
ID: 12309605
I know, its not funny any more, but PAP did not work ( userid was rejected)

It has been configured as Standard Radius, though once I tried CISCO with noe positive result.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 12309656
If you have SmartNet, or the PIX is new and still under warranty, you can open a TAC case with Cisco..

Do you have any access-lists applied to your inside interface?

0
 

Author Comment

by:pwslgl
ID: 12319597
Thank you fdor all you help. I will contact Cisco and may be just start from scratch.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
solarwind tftp server 2 31
not output on the show arp command 5 45
Gateway Resilience 4 20
Cisco Any Connect Client 5 14
When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now