Go Premium for a chance to win a PS4. Enter to Win


VPN XAUTH - Unable To Use Cisco PIX & Cisco VPN Client with Windows 2003 IAS RADIUS Authentication

Posted on 2006-06-12
Medium Priority
Last Modified: 2012-06-27
Cisco remote access VPN Clients (v4.08) are able to connect to PIX515e configured as VPN Server and access the internal LAN without problems as long as I don't enable extended user authentication.  With XAUTH enabled in the PIX config the remote users are being prompted for a username & PW but once they enter it nothing happens and the IKE setup times out & disconnects.  (On the other end, the log files on the M.S. IAS (RADIUS) server show no entries at all)

I need to enable Extended Authentication (XAUTH) & would like to use Microsoft IAS (RADIUS) on our only Windows 2003 Server DC if possible?

 Cisco Tech Support referred me to http://www.cisco.com/warp/public/110/cvpn3k_pix_ias.html (Document ID 18897) for a setup guide.  Cisco Tech also checked my PIX config & said it was fine, AAA XAUTH using IAS should work but since it doesn't I assume I need to review my IAS config on the Microsoft Server 2003.

The Cisco setup documentation related to configuring IAS on the Microsoft Windows 2003 Server step #5 says to add a user into the local computer account via ADMIN TOOLS>COMP MGMT>SYS TOOLS>LOCAL USERS & GROUPS and to give that account a password that is the same as the "shared secret" defined in the IAS PIX RADIUS CLIENT config.

Problem 1: My (1 & Only)Microsoft Windows 2003 Server domain controller does not have an icon for "LOCAL USERS & GROUPS" in the Computer Management window.  (I tried adding the  local account in the DOMAIN LOCAL group with no luck).

Problem 2: Also the DIAL-IN Tab instruction for this Local Account says "leave default setting of CONTROL ACCESS THROUGH REMOTE ACCESS POLICY"  but that is not an option because it is greyed out?

I have IP connectivity from the remote access client all the way through to the IAS RADIUS server.
IPSec VPN remote access connections are perfect until I enable XAUTH using M.S. IAS RADIUS server.

Has anyone who has used Cisco PIX & Cisco VPN Client with Windows 2003 IAS RADIUS Extended Authentication got any ideas for me?  Thanks much for any tips as I just can't bring myself to put laptops out there as VPN clients without any user authentication enabled!

Question by:dealvis
  • 3
  • 3
  • 2

Author Comment

ID: 16890010
Resolved unavailability of "CONTROL ACCESS THROUGH REMOTE ACCESS POLICY" option on User properties sheet DIAL-IN tab by changing Windows 2000 domain to NATIVE mode but XAUTH still is not working...
LVL 79

Expert Comment

ID: 16890141
>Configuring the Microsoft Windows 2003 Server with IAS
Be sure that Client-Vendor is set to RADIUS Standard

Pay particular attention to this section of the document, and particularly item 4
x Allow Unencrypted AUthentication (PAP,SPAP)
is the only box checked

For Item #5,
Since this is your DC, go to Admin Tools/ Active Directory Users and Computers
"Add user with Cisco password "cisco123" and check the following profile information."
This is not the same as "to give that account a password that is the same as the "shared secret" defined in the IAS PIX RADIUS CLIENT config"

Add a user "Cisco" password "cisco123" and allow dial-in access

Step 5 is simply to setup a test account to verify.


Author Comment

ID: 16893543
Thx - Yes, Only Authentication Option Selected is: x Allow Unencrypted AUthentication (PAP,SPAP)
Also double checked Client Vendor option and it is indeed set to RADIUS STANDARD

At this point I am attempting to use PIX debug commands and also Microsoft Network Monitor to determine if the PIX's XAUTH requests are even reaching the Microsoft 2003 Server with IAS installed?

This morning I also bypassed our layer 3 Catalyst switch just to rule out the possibility of the VLAN config preventing the PIX (outside interface) from communicating with the IAS (RADIUS) server on the inside (V)LAN.  Didn't help.
Thanks for the tips irmoore - any other ideas I'd love to hear them!
WatchGuard Case Study: NCR

With business operations for thousands of customers largely depending on the internal systems they support, NCR can’t afford to waste time or money on security products that are anything less than exceptional. That’s why they chose WatchGuard.

LVL 32

Expert Comment

ID: 16895979
One I can think of is what Lrmoore already pointed out but I'm not sure if you have done it;

>>Add a user "Cisco" password "cisco123" and allow dial-in access

Look at the last part : "Allow dial-in access". This has to be enabled on AD, have you tried that?

If still yes, then posting your configuration would really help.

LVL 79

Accepted Solution

lrmoore earned 375 total points
ID: 16897747
Can the PIX actually ping the IAS server?
Is this server on the same network segment as the inside of the PIX?
Looking for routers or anything that may not be forwarding the RADIUS protocol packets between the PIX and the IAS server.

Author Comment

ID: 16905723
Problem Solved - PIX515e now performing XAUTH of Cisco VPN remote access clients via Microsoft Windows Server 2003 running IAS (radius) to verify remote user's Active Directory username & PW entered during VPN client connection process.

I had 2 problems.

1st problem was INCORRECT configuration on PIX - designation of RADIUS server referenced wrong PIX interface:
aaa-server Remote_Users (outside) host psk4ipsecauth timeout 10

Corrected by changing to:
aaa-server Remote_Users (inside) host psk4ipsecauth timeout 10

(At this point RADIUS requests began flowing through the PIX to the Windows Server 2003 ( running IAS located on the internal LAN connected to the PIX INSIDE interface (

2nd problem was wrong IP address specified for PIX in the "RADIUS Clients" configuration on the Windows Server 2003 running IAS.
 The correct IP address to enter for the PIX when configuring IAS to treat the PIX as a RADIUS client is the IP address of the PIX INSIDE interface (NOT the OUTSIDE interface as I had wrongly entered).

In summary:
When specifying the RADIUS server you want the PIX to use for XAUTH of remote access VPN clients make sure you specify the PIX interface closest to the server, [in my case the INSIDE interface] NOT the OUTSIDE interface the remote access clients connect to, when you enter that PIX command.  Again, here is the correct example from my configuration:
 aaa-server Remote_Users (inside) host psk4ipsecauth timeout 10

Also when setting up your Windows Server 2003 to perform XAUTH via IAS for the PIX by adding the PIX as a RADIUS Client to IAS,  enter the IP address of the PIX interface nearest the server when specifying the Radius Client IP address on the Radius Client Properties Sheet.

Many Thanks to all who helped me!  I am  a newbie to all this (including ExEX) and the only IT person where I work so I struggle to respond quickly to the posts but they are invaluable to me.

LVL 79

Expert Comment

ID: 16908695
> Cisco Tech also checked my PIX config & said it was fine
Yea Team! Whoda thunk?

LVL 32

Expert Comment

ID: 16908846
I can't believe it. You saying they missed the 'outside' part on the aaa-server ?? Man, here instead of one pair of eye, you get more so from next time onwards post the config along with the post.



Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses
Course of the Month10 days, 18 hours left to enroll

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question