Cisco remote access VPN Clients (v4.08) are able to connect to PIX515e configured as VPN Server and access the internal LAN without problems as long as I don't enable extended user authentication. With XAUTH enabled in the PIX config the remote users are being prompted for a username & PW but once they enter it nothing happens and the IKE setup times out & disconnects. (On the other end, the log files on the M.S. IAS (RADIUS) server show no entries at all)
I need to enable Extended Authentication (XAUTH) & would like to use Microsoft IAS (RADIUS) on our only Windows 2003 Server DC if possible?
Cisco Tech Support referred me to http://www.cisco.com/warp/public/110/cvpn3k_pix_ias.html
(Document ID 18897) for a setup guide. Cisco Tech also checked my PIX config & said it was fine, AAA XAUTH using IAS should work but since it doesn't I assume I need to review my IAS config on the Microsoft Server 2003.
The Cisco setup documentation related to configuring IAS on the Microsoft Windows 2003 Server step #5 says to add a user into the local computer account via ADMIN TOOLS>COMP MGMT>SYS TOOLS>LOCAL USERS & GROUPS and to give that account a password that is the same as the "shared secret" defined in the IAS PIX RADIUS CLIENT config.
Problem 1: My (1 & Only)Microsoft Windows 2003 Server domain controller does not have an icon for "LOCAL USERS & GROUPS" in the Computer Management window. (I tried adding the local account in the DOMAIN LOCAL group with no luck).
Problem 2: Also the DIAL-IN Tab instruction for this Local Account says "leave default setting of CONTROL ACCESS THROUGH REMOTE ACCESS POLICY" but that is not an option because it is greyed out?
I have IP connectivity from the remote access client all the way through to the IAS RADIUS server.
IPSec VPN remote access connections are perfect until I enable XAUTH using M.S. IAS RADIUS server.
Has anyone who has used Cisco PIX & Cisco VPN Client with Windows 2003 IAS RADIUS Extended Authentication got any ideas for me? Thanks much for any tips as I just can't bring myself to put laptops out there as VPN clients without any user authentication enabled!