VPN XAUTH - Unable To Use Cisco PIX & Cisco VPN Client with Windows 2003 IAS RADIUS Authentication

Cisco remote access VPN Clients (v4.08) are able to connect to PIX515e configured as VPN Server and access the internal LAN without problems as long as I don't enable extended user authentication.  With XAUTH enabled in the PIX config the remote users are being prompted for a username & PW but once they enter it nothing happens and the IKE setup times out & disconnects.  (On the other end, the log files on the M.S. IAS (RADIUS) server show no entries at all)

I need to enable Extended Authentication (XAUTH) & would like to use Microsoft IAS (RADIUS) on our only Windows 2003 Server DC if possible?

 Cisco Tech Support referred me to http://www.cisco.com/warp/public/110/cvpn3k_pix_ias.html (Document ID 18897) for a setup guide.  Cisco Tech also checked my PIX config & said it was fine, AAA XAUTH using IAS should work but since it doesn't I assume I need to review my IAS config on the Microsoft Server 2003.

The Cisco setup documentation related to configuring IAS on the Microsoft Windows 2003 Server step #5 says to add a user into the local computer account via ADMIN TOOLS>COMP MGMT>SYS TOOLS>LOCAL USERS & GROUPS and to give that account a password that is the same as the "shared secret" defined in the IAS PIX RADIUS CLIENT config.

Problem 1: My (1 & Only)Microsoft Windows 2003 Server domain controller does not have an icon for "LOCAL USERS & GROUPS" in the Computer Management window.  (I tried adding the  local account in the DOMAIN LOCAL group with no luck).

Problem 2: Also the DIAL-IN Tab instruction for this Local Account says "leave default setting of CONTROL ACCESS THROUGH REMOTE ACCESS POLICY"  but that is not an option because it is greyed out?

I have IP connectivity from the remote access client all the way through to the IAS RADIUS server.
IPSec VPN remote access connections are perfect until I enable XAUTH using M.S. IAS RADIUS server.

Has anyone who has used Cisco PIX & Cisco VPN Client with Windows 2003 IAS RADIUS Extended Authentication got any ideas for me?  Thanks much for any tips as I just can't bring myself to put laptops out there as VPN clients without any user authentication enabled!

Who is Participating?
lrmooreConnect With a Mentor Commented:
Can the PIX actually ping the IAS server?
Is this server on the same network segment as the inside of the PIX?
Looking for routers or anything that may not be forwarding the RADIUS protocol packets between the PIX and the IAS server.
dealvisAuthor Commented:
Resolved unavailability of "CONTROL ACCESS THROUGH REMOTE ACCESS POLICY" option on User properties sheet DIAL-IN tab by changing Windows 2000 domain to NATIVE mode but XAUTH still is not working...
>Configuring the Microsoft Windows 2003 Server with IAS
Be sure that Client-Vendor is set to RADIUS Standard

Pay particular attention to this section of the document, and particularly item 4
x Allow Unencrypted AUthentication (PAP,SPAP)
is the only box checked

For Item #5,
Since this is your DC, go to Admin Tools/ Active Directory Users and Computers
"Add user with Cisco password "cisco123" and check the following profile information."
This is not the same as "to give that account a password that is the same as the "shared secret" defined in the IAS PIX RADIUS CLIENT config"

Add a user "Cisco" password "cisco123" and allow dial-in access

Step 5 is simply to setup a test account to verify.

Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

dealvisAuthor Commented:
Thx - Yes, Only Authentication Option Selected is: x Allow Unencrypted AUthentication (PAP,SPAP)
Also double checked Client Vendor option and it is indeed set to RADIUS STANDARD

At this point I am attempting to use PIX debug commands and also Microsoft Network Monitor to determine if the PIX's XAUTH requests are even reaching the Microsoft 2003 Server with IAS installed?

This morning I also bypassed our layer 3 Catalyst switch just to rule out the possibility of the VLAN config preventing the PIX (outside interface) from communicating with the IAS (RADIUS) server on the inside (V)LAN.  Didn't help.
Thanks for the tips irmoore - any other ideas I'd love to hear them!
One I can think of is what Lrmoore already pointed out but I'm not sure if you have done it;

>>Add a user "Cisco" password "cisco123" and allow dial-in access

Look at the last part : "Allow dial-in access". This has to be enabled on AD, have you tried that?

If still yes, then posting your configuration would really help.

dealvisAuthor Commented:
Problem Solved - PIX515e now performing XAUTH of Cisco VPN remote access clients via Microsoft Windows Server 2003 running IAS (radius) to verify remote user's Active Directory username & PW entered during VPN client connection process.

I had 2 problems.

1st problem was INCORRECT configuration on PIX - designation of RADIUS server referenced wrong PIX interface:
aaa-server Remote_Users (outside) host psk4ipsecauth timeout 10

Corrected by changing to:
aaa-server Remote_Users (inside) host psk4ipsecauth timeout 10

(At this point RADIUS requests began flowing through the PIX to the Windows Server 2003 ( running IAS located on the internal LAN connected to the PIX INSIDE interface (

2nd problem was wrong IP address specified for PIX in the "RADIUS Clients" configuration on the Windows Server 2003 running IAS.
 The correct IP address to enter for the PIX when configuring IAS to treat the PIX as a RADIUS client is the IP address of the PIX INSIDE interface (NOT the OUTSIDE interface as I had wrongly entered).

In summary:
When specifying the RADIUS server you want the PIX to use for XAUTH of remote access VPN clients make sure you specify the PIX interface closest to the server, [in my case the INSIDE interface] NOT the OUTSIDE interface the remote access clients connect to, when you enter that PIX command.  Again, here is the correct example from my configuration:
 aaa-server Remote_Users (inside) host psk4ipsecauth timeout 10

Also when setting up your Windows Server 2003 to perform XAUTH via IAS for the PIX by adding the PIX as a RADIUS Client to IAS,  enter the IP address of the PIX interface nearest the server when specifying the Radius Client IP address on the Radius Client Properties Sheet.

Many Thanks to all who helped me!  I am  a newbie to all this (including ExEX) and the only IT person where I work so I struggle to respond quickly to the posts but they are invaluable to me.

> Cisco Tech also checked my PIX config & said it was fine
Yea Team! Whoda thunk?

I can't believe it. You saying they missed the 'outside' part on the aaa-server ?? Man, here instead of one pair of eye, you get more so from next time onwards post the config along with the post.


Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.