Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

PIX VPN authentication over AD 2000 Domain. Getting "auth" errors on PIX.

Posted on 2004-10-14
12
305 Views
Last Modified: 2013-11-16
I have set up our PIX and IAS server per instruction from CISCO:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml

But when I try to connect from home on the home Windows side it is getting the " Verifying User Name and Password", then times out.
When I look in the PIX logs, I see the following entries: ( xip.home.140.82 < - ip at home and xvpn.ip.26.194 <-outside ip on PIX )

"...
24941      10/13/2004 7:11:02 PM      Oct 13 19:09:06      local4      Information      #PIX-6-109002:      Auth from 0.0.0.0/0 to 10.1.1.39/0 failed (server 192.168.100.55 failed) on interface outside      
..."
"...
25160      10/13/2004 7:12:52 PM      Oct 13 19:10:56      local4      Information      #PIX-6-603105:      PPTP Tunnel deleted, tunnel_id = 30, remote_peer_ip = xip.home.140.82      
25159      10/13/2004 7:12:52 PM      Oct 13 19:10:56      local4      Information      #PIX-6-603104:      PPTP Tunnel created, tunnel_id is 30, remote_peer_ip is xip.home.140.82, ppp_virtual_interface_id is 5, client_dynamic_ip is 0.0.0.0, username is , MPPE_key_strength is None
..."
"...
24750      10/13/2004 7:09:31 PM      Oct 13 19:07:35      local4      Debug      #PIX-7-710002:      TCP access permitted from xip.home.140.82/1527 to outside:xvpn.ip.26.194/pptp      
24749      10/13/2004 7:09:31 PM      Oct 13 19:07:35      local4      Debug      #PIX-7-710001:      TCP access requested from xip.home.140.82/1527 to outside:xvpn.ip.26.194/pptp      
23882      10/13/2004 7:05:24 PM      Oct 13 19:03:28      local4      Debug      #PIX-7-710005:      TCP request discarded from xip.home.140.82/1522 to outside:xvpn.ip.26.194/pptp
..."


There was already a discussiong about this here,[ http://www.experts-exchange.com/Security/Firewalls/Q_20930453.html?query=pix+vpn+active+directory&clearTAFilter=true ] but They didn't have the same problems.

I am using PPTP at home and when I try L2TP it doesn't connect at all, not event to the IP address.

Anything you can suggest is appriciated.
0
Comment
Question by:pwslgl
  • 7
  • 5
12 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12307872
Those instructions are particular to using the Cisco VPN client. Since you are using Microsoft PPTP client, your configuration will be different.

Do you have a line like this:

vpdn group 1 client authentication partnerauth

Reference:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080093f89.shtml
0
 

Author Comment

by:pwslgl
ID: 12308178
Mine is set to the following:

vpdn group vpn5000 accept dialin pptp
vpdn group vpn5000 ppp authentication chap
vpdn group vpn5000 ppp authentication mschap
vpdn group vpn5000 client configuration address local solpool
vpdn group vpn5000 client configuration dns 192.168.100.54 192.168.100.55
vpdn group vpn5000 client configuration wins 192.168.100.54 192.168.100.55
vpdn group vpn5000 client authentication aaa RADIUS
vpdn group vpn5000 pptp echo 45
vpdn enable outside



0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12308335
I don't see where you specify MPPE encrytion, and

"PIX Firewall PPTP VPN supports standard PPP CCP negotiations with Microsoft Point-To-Point Encryption (MPPE) extensions using RSA/RC4 algorithm. MPPE currently supports 40-bit and 128-bit session keys. MPPE generates an initial key during user authentication and refreshes the key regularly. In this release, compression is not supported.

When you specify MPPE, you must use the MS-CHAP PPP authentication protocol. If you are using an external AAA server, the protocol must be RADIUS and the external RADIUS server must be able to return the Microsoft MSCHAP_MPPE_KEY attribute to the PIX Firewall in the RADIUS Authentication Accept packet. See RFC 2548, "Microsoft Vendor Specific RADIUS Attributes," for more information on the MSCHAP_MPPE_KEY attribute. "

More reference and config examples here:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/tz.htm#wp1083965

I'd have to see the complete config to be of much more help..
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:pwslgl
ID: 12308644
Here is the rest of the vpn-related config:
__________BEGIN________________

ip local pool solpool 10.1.1.1-10.1.1.254
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.100.55 **key** timeout 45
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host 192.168.100.55 **key** timeout 5

sysopt connection permit-ipsec
sysopt connection permit-pptp

vpdn group vpn5000 accept dialin pptp
vpdn group vpn5000 ppp authentication chap
vpdn group vpn5000 ppp authentication mschap
vpdn group vpn5000 ppp encryption mppe 40
vpdn group vpn5000 client configuration address local solpool
vpdn group vpn5000 client configuration dns 192.168.100.54 192.168.100.55
vpdn group vpn5000 client configuration wins 192.168.100.54 192.168.100.55
vpdn group vpn5000 client authentication aaa partnerauth
vpdn group vpn5000 pptp echo 60

vpdn enable outside



0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12308671
Do you have a nat-0 acl ..
   access-list nat_0 permit ip 192.168.100.0 255.255.255.0 10.1.1.0 255.255.255.0
   nat (inside) 0 access-list nat_0
0
 

Author Comment

by:pwslgl
ID: 12308873
Its there:

nat (inside) 0 access-list nonat
nat (inside) 10 0.0.0.0 0.0.0.0 0 0

access-list nonat line 19 permit ip 192.168.100.0 255.255.255.0 10.1.1.0 255.255.255.0

0
 

Author Comment

by:pwslgl
ID: 12308931
Here is the entry from IAS server log:

User DOMAIN\userid was granted access.
 Fully-Qualified-User-Name = domain.net/Admins/UserID
 NAS-IP-Address = pix.intrn.ip.addrs
 NAS-Identifier = <not present>
 Client-Friendly-Name = PIX
 Client-IP-Address = pix.intrn.ip.addrs
 NAS-Port-Type = <not present>
 NAS-Port = 536
 Policy-Name = dial-in
 Authentication-Type = MS-CHAPv1
 EAP-Type = <undetermined>  


I am at a loss :)
0
 

Author Comment

by:pwslgl
ID: 12308973
Here is more information if it helps: vpdn connection while it is tying to authenticate:

pix#sh vpdn


%No active L2TP tunnels


PPTP Tunnel and Session Information (Total tunnels=1 sessions=1)


Tunnel id 43, remote id is 43, 1 active sessions
  Tunnel state is estabd, time since event change 13 secs
  remote   Internet Address home.ip, port 1095
  Local    Internet Address pix.out.ip, port 1723
  4 packets sent, 10 received, 130 bytes sent, 594 received


Call id 40 is up on tunnel id 43
Remote Internet Address is home.ip
  Session username is unknown, state is estabd
    Time since event change 13 secs, interface outside
    Remote call id is 32768
    PPP interface id is 6
    4 packets sent, 10 received, 130 bytes sent, 594 received
    Seq 5, Ack 9, Ack_Rcvd 4, peer RWS 64
    0 out of order packets
             

%No active PPPoE tunnels
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12309107
Did you setup the Radius server NAS client as "standard" radius, or as vendor-specific "cisco" ?
It should be setup for "standard"

Try changing the client authentication from MSCHAP to allow PAP and see if that makes a difference...
You also have to allow the pap auth in the vpdn config...


0
 

Author Comment

by:pwslgl
ID: 12309605
I know, its not funny any more, but PAP did not work ( userid was rejected)

It has been configured as Standard Radius, though once I tried CISCO with noe positive result.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 12309656
If you have SmartNet, or the PIX is new and still under warranty, you can open a TAC case with Cisco..

Do you have any access-lists applied to your inside interface?

0
 

Author Comment

by:pwslgl
ID: 12319597
Thank you fdor all you help. I will contact Cisco and may be just start from scratch.
0

Featured Post

Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Vlan extend across 2 switches 16 27
Point to point connection slow in one direction only 15 63
NAT Public IP through a VPN 17 68
Cisco Router Security Commands. 2 31
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question