Solved

VPN XAUTH - Unable To Use Cisco PIX & Cisco VPN Client with Windows 2003 IAS RADIUS Authentication

Posted on 2006-06-12
8
1,257 Views
Last Modified: 2012-06-27
Cisco remote access VPN Clients (v4.08) are able to connect to PIX515e configured as VPN Server and access the internal LAN without problems as long as I don't enable extended user authentication.  With XAUTH enabled in the PIX config the remote users are being prompted for a username & PW but once they enter it nothing happens and the IKE setup times out & disconnects.  (On the other end, the log files on the M.S. IAS (RADIUS) server show no entries at all)

I need to enable Extended Authentication (XAUTH) & would like to use Microsoft IAS (RADIUS) on our only Windows 2003 Server DC if possible?

 Cisco Tech Support referred me to http://www.cisco.com/warp/public/110/cvpn3k_pix_ias.html (Document ID 18897) for a setup guide.  Cisco Tech also checked my PIX config & said it was fine, AAA XAUTH using IAS should work but since it doesn't I assume I need to review my IAS config on the Microsoft Server 2003.

The Cisco setup documentation related to configuring IAS on the Microsoft Windows 2003 Server step #5 says to add a user into the local computer account via ADMIN TOOLS>COMP MGMT>SYS TOOLS>LOCAL USERS & GROUPS and to give that account a password that is the same as the "shared secret" defined in the IAS PIX RADIUS CLIENT config.

Problem 1: My (1 & Only)Microsoft Windows 2003 Server domain controller does not have an icon for "LOCAL USERS & GROUPS" in the Computer Management window.  (I tried adding the  local account in the DOMAIN LOCAL group with no luck).

Problem 2: Also the DIAL-IN Tab instruction for this Local Account says "leave default setting of CONTROL ACCESS THROUGH REMOTE ACCESS POLICY"  but that is not an option because it is greyed out?

I have IP connectivity from the remote access client all the way through to the IAS RADIUS server.
IPSec VPN remote access connections are perfect until I enable XAUTH using M.S. IAS RADIUS server.

Has anyone who has used Cisco PIX & Cisco VPN Client with Windows 2003 IAS RADIUS Extended Authentication got any ideas for me?  Thanks much for any tips as I just can't bring myself to put laptops out there as VPN clients without any user authentication enabled!




0
Comment
Question by:dealvis
  • 3
  • 3
  • 2
8 Comments
 

Author Comment

by:dealvis
ID: 16890010
Resolved unavailability of "CONTROL ACCESS THROUGH REMOTE ACCESS POLICY" option on User properties sheet DIAL-IN tab by changing Windows 2000 domain to NATIVE mode but XAUTH still is not working...
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16890141
>Configuring the Microsoft Windows 2003 Server with IAS
Be sure that Client-Vendor is set to RADIUS Standard

Pay particular attention to this section of the document, and particularly item 4
x Allow Unencrypted AUthentication (PAP,SPAP)
is the only box checked

For Item #5,
Since this is your DC, go to Admin Tools/ Active Directory Users and Computers
"Add user with Cisco password "cisco123" and check the following profile information."
This is not the same as "to give that account a password that is the same as the "shared secret" defined in the IAS PIX RADIUS CLIENT config"

Add a user "Cisco" password "cisco123" and allow dial-in access

Step 5 is simply to setup a test account to verify.



0
 

Author Comment

by:dealvis
ID: 16893543
Thx - Yes, Only Authentication Option Selected is: x Allow Unencrypted AUthentication (PAP,SPAP)
Also double checked Client Vendor option and it is indeed set to RADIUS STANDARD

At this point I am attempting to use PIX debug commands and also Microsoft Network Monitor to determine if the PIX's XAUTH requests are even reaching the Microsoft 2003 Server with IAS installed?

This morning I also bypassed our layer 3 Catalyst switch just to rule out the possibility of the VLAN config preventing the PIX (outside interface) from communicating with the IAS (RADIUS) server on the inside (V)LAN.  Didn't help.
:-(
Thanks for the tips irmoore - any other ideas I'd love to hear them!
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 16895979
One I can think of is what Lrmoore already pointed out but I'm not sure if you have done it;

>>Add a user "Cisco" password "cisco123" and allow dial-in access

Look at the last part : "Allow dial-in access". This has to be enabled on AD, have you tried that?

If still yes, then posting your configuration would really help.

Cheers,
Rajesh
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 79

Accepted Solution

by:
lrmoore earned 125 total points
ID: 16897747
Can the PIX actually ping the IAS server?
Is this server on the same network segment as the inside of the PIX?
Looking for routers or anything that may not be forwarding the RADIUS protocol packets between the PIX and the IAS server.
0
 

Author Comment

by:dealvis
ID: 16905723
Problem Solved - PIX515e now performing XAUTH of Cisco VPN remote access clients via Microsoft Windows Server 2003 running IAS (radius) to verify remote user's Active Directory username & PW entered during VPN client connection process.

I had 2 problems.

1st problem was INCORRECT configuration on PIX - designation of RADIUS server referenced wrong PIX interface:
aaa-server Remote_Users (outside) host 192.168.0.200 psk4ipsecauth timeout 10

Corrected by changing to:
aaa-server Remote_Users (inside) host 192.168.0.200 psk4ipsecauth timeout 10

(At this point RADIUS requests began flowing through the PIX to the Windows Server 2003 (192.168.2.200) running IAS located on the internal LAN connected to the PIX INSIDE interface (192.168.0.1)

2nd problem was wrong IP address specified for PIX in the "RADIUS Clients" configuration on the Windows Server 2003 running IAS.
 The correct IP address to enter for the PIX when configuring IAS to treat the PIX as a RADIUS client is the IP address of the PIX INSIDE interface (NOT the OUTSIDE interface as I had wrongly entered).

In summary:
When specifying the RADIUS server you want the PIX to use for XAUTH of remote access VPN clients make sure you specify the PIX interface closest to the server, [in my case the INSIDE interface] NOT the OUTSIDE interface the remote access clients connect to, when you enter that PIX command.  Again, here is the correct example from my configuration:
 aaa-server Remote_Users (inside) host 192.168.0.200 psk4ipsecauth timeout 10

Also when setting up your Windows Server 2003 to perform XAUTH via IAS for the PIX by adding the PIX as a RADIUS Client to IAS,  enter the IP address of the PIX interface nearest the server when specifying the Radius Client IP address on the Radius Client Properties Sheet.

Many Thanks to all who helped me!  I am  a newbie to all this (including ExEX) and the only IT person where I work so I struggle to respond quickly to the posts but they are invaluable to me.

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16908695
> Cisco Tech also checked my PIX config & said it was fine
Yea Team! Whoda thunk?


0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 16908846
I can't believe it. You saying they missed the 'outside' part on the aaa-server ?? Man, here instead of one pair of eye, you get more so from next time onwards post the config along with the post.


Cheers,
Rajesh


0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Join & Write a Comment

Suggested Solutions

Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
Do you have an old router lying around the house that you don’t know what to do with? Check the make and model, then refer to either of these links to see if its compatible. http://www.dd-wrt.com/site/support/router-database http://www.dd-wrt.c…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now