[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 321
  • Last Modified:

PIX VPN authentication over AD 2000 Domain. Getting "auth" errors on PIX.

I have set up our PIX and IAS server per instruction from CISCO:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml

But when I try to connect from home on the home Windows side it is getting the " Verifying User Name and Password", then times out.
When I look in the PIX logs, I see the following entries: ( xip.home.140.82 < - ip at home and xvpn.ip.26.194 <-outside ip on PIX )

"...
24941      10/13/2004 7:11:02 PM      Oct 13 19:09:06      local4      Information      #PIX-6-109002:      Auth from 0.0.0.0/0 to 10.1.1.39/0 failed (server 192.168.100.55 failed) on interface outside      
..."
"...
25160      10/13/2004 7:12:52 PM      Oct 13 19:10:56      local4      Information      #PIX-6-603105:      PPTP Tunnel deleted, tunnel_id = 30, remote_peer_ip = xip.home.140.82      
25159      10/13/2004 7:12:52 PM      Oct 13 19:10:56      local4      Information      #PIX-6-603104:      PPTP Tunnel created, tunnel_id is 30, remote_peer_ip is xip.home.140.82, ppp_virtual_interface_id is 5, client_dynamic_ip is 0.0.0.0, username is , MPPE_key_strength is None
..."
"...
24750      10/13/2004 7:09:31 PM      Oct 13 19:07:35      local4      Debug      #PIX-7-710002:      TCP access permitted from xip.home.140.82/1527 to outside:xvpn.ip.26.194/pptp      
24749      10/13/2004 7:09:31 PM      Oct 13 19:07:35      local4      Debug      #PIX-7-710001:      TCP access requested from xip.home.140.82/1527 to outside:xvpn.ip.26.194/pptp      
23882      10/13/2004 7:05:24 PM      Oct 13 19:03:28      local4      Debug      #PIX-7-710005:      TCP request discarded from xip.home.140.82/1522 to outside:xvpn.ip.26.194/pptp
..."


There was already a discussiong about this here,[ http://www.experts-exchange.com/Security/Firewalls/Q_20930453.html?query=pix+vpn+active+directory&clearTAFilter=true ] but They didn't have the same problems.

I am using PPTP at home and when I try L2TP it doesn't connect at all, not event to the IP address.

Anything you can suggest is appriciated.
0
pwslgl
Asked:
pwslgl
  • 7
  • 5
1 Solution
 
lrmooreCommented:
Those instructions are particular to using the Cisco VPN client. Since you are using Microsoft PPTP client, your configuration will be different.

Do you have a line like this:

vpdn group 1 client authentication partnerauth

Reference:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080093f89.shtml
0
 
pwslglAuthor Commented:
Mine is set to the following:

vpdn group vpn5000 accept dialin pptp
vpdn group vpn5000 ppp authentication chap
vpdn group vpn5000 ppp authentication mschap
vpdn group vpn5000 client configuration address local solpool
vpdn group vpn5000 client configuration dns 192.168.100.54 192.168.100.55
vpdn group vpn5000 client configuration wins 192.168.100.54 192.168.100.55
vpdn group vpn5000 client authentication aaa RADIUS
vpdn group vpn5000 pptp echo 45
vpdn enable outside



0
 
lrmooreCommented:
I don't see where you specify MPPE encrytion, and

"PIX Firewall PPTP VPN supports standard PPP CCP negotiations with Microsoft Point-To-Point Encryption (MPPE) extensions using RSA/RC4 algorithm. MPPE currently supports 40-bit and 128-bit session keys. MPPE generates an initial key during user authentication and refreshes the key regularly. In this release, compression is not supported.

When you specify MPPE, you must use the MS-CHAP PPP authentication protocol. If you are using an external AAA server, the protocol must be RADIUS and the external RADIUS server must be able to return the Microsoft MSCHAP_MPPE_KEY attribute to the PIX Firewall in the RADIUS Authentication Accept packet. See RFC 2548, "Microsoft Vendor Specific RADIUS Attributes," for more information on the MSCHAP_MPPE_KEY attribute. "

More reference and config examples here:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/tz.htm#wp1083965

I'd have to see the complete config to be of much more help..
0
KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

 
pwslglAuthor Commented:
Here is the rest of the vpn-related config:
__________BEGIN________________

ip local pool solpool 10.1.1.1-10.1.1.254
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.100.55 **key** timeout 45
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host 192.168.100.55 **key** timeout 5

sysopt connection permit-ipsec
sysopt connection permit-pptp

vpdn group vpn5000 accept dialin pptp
vpdn group vpn5000 ppp authentication chap
vpdn group vpn5000 ppp authentication mschap
vpdn group vpn5000 ppp encryption mppe 40
vpdn group vpn5000 client configuration address local solpool
vpdn group vpn5000 client configuration dns 192.168.100.54 192.168.100.55
vpdn group vpn5000 client configuration wins 192.168.100.54 192.168.100.55
vpdn group vpn5000 client authentication aaa partnerauth
vpdn group vpn5000 pptp echo 60

vpdn enable outside



0
 
lrmooreCommented:
Do you have a nat-0 acl ..
   access-list nat_0 permit ip 192.168.100.0 255.255.255.0 10.1.1.0 255.255.255.0
   nat (inside) 0 access-list nat_0
0
 
pwslglAuthor Commented:
Its there:

nat (inside) 0 access-list nonat
nat (inside) 10 0.0.0.0 0.0.0.0 0 0

access-list nonat line 19 permit ip 192.168.100.0 255.255.255.0 10.1.1.0 255.255.255.0

0
 
pwslglAuthor Commented:
Here is the entry from IAS server log:

User DOMAIN\userid was granted access.
 Fully-Qualified-User-Name = domain.net/Admins/UserID
 NAS-IP-Address = pix.intrn.ip.addrs
 NAS-Identifier = <not present>
 Client-Friendly-Name = PIX
 Client-IP-Address = pix.intrn.ip.addrs
 NAS-Port-Type = <not present>
 NAS-Port = 536
 Policy-Name = dial-in
 Authentication-Type = MS-CHAPv1
 EAP-Type = <undetermined>  


I am at a loss :)
0
 
pwslglAuthor Commented:
Here is more information if it helps: vpdn connection while it is tying to authenticate:

pix#sh vpdn


%No active L2TP tunnels


PPTP Tunnel and Session Information (Total tunnels=1 sessions=1)


Tunnel id 43, remote id is 43, 1 active sessions
  Tunnel state is estabd, time since event change 13 secs
  remote   Internet Address home.ip, port 1095
  Local    Internet Address pix.out.ip, port 1723
  4 packets sent, 10 received, 130 bytes sent, 594 received


Call id 40 is up on tunnel id 43
Remote Internet Address is home.ip
  Session username is unknown, state is estabd
    Time since event change 13 secs, interface outside
    Remote call id is 32768
    PPP interface id is 6
    4 packets sent, 10 received, 130 bytes sent, 594 received
    Seq 5, Ack 9, Ack_Rcvd 4, peer RWS 64
    0 out of order packets
             

%No active PPPoE tunnels
0
 
lrmooreCommented:
Did you setup the Radius server NAS client as "standard" radius, or as vendor-specific "cisco" ?
It should be setup for "standard"

Try changing the client authentication from MSCHAP to allow PAP and see if that makes a difference...
You also have to allow the pap auth in the vpdn config...


0
 
pwslglAuthor Commented:
I know, its not funny any more, but PAP did not work ( userid was rejected)

It has been configured as Standard Radius, though once I tried CISCO with noe positive result.
0
 
lrmooreCommented:
If you have SmartNet, or the PIX is new and still under warranty, you can open a TAC case with Cisco..

Do you have any access-lists applied to your inside interface?

0
 
pwslglAuthor Commented:
Thank you fdor all you help. I will contact Cisco and may be just start from scratch.
0

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

  • 7
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now