Cisco ASA 5520 and Server 2003 IAS Frustruation 500pt

I have a group in my Active Directory specifically for those users I want to Grant VPN access.  I have checked all of their rights to insure that their dial-in access is granted and defined by Remote Access Policy.  I have installed IAS on a Server 2003 Domain Controller/Global Catalog and defined the policy to only allow members of this group access.  I have changed the profiles in the policies to allow for PAP and Unencrypted Access, to facilitate the hand off from my Cisco ASA 5520.  I have the server authorized in Active Directory and the ASA listed as a Radius client.  I have setup the AAA Server group and defined this server as my Radius server using standard protocol, and assigned this group to my VPNTunnel Group and default web VPN group policy on my ASA.  HOWEVER, I am still not able to get my Server 2003 RADIUS Server to control the access to the VPN.  The only users that are allowed are users I put in the ASA's local database or whatever username corresponds to the "common password" in the AAA Server setup.  Please tell me I'm overlooking something minute.  To my knowledge, I've tried everything.  Thanks so much- JK
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

for your tunnel-group what is the authentication server setup as.  to me it seems like its set to local.

honestly what I'd try first though is allow anyone in AD to vpn in.  that will allow us to see if the authentication against the AD at least works.  from there we can work on the AD group specification
cantoneeAuthor Commented:
The authentication server is set to my AAA Server Group, the only member being the IAS Server, the same for the authorization server.  Ican test the Authentication from the ASA and it is always successful.  I agree with what you said.  I have tried the same exact setup, minus the additional entry in the Remote Access Policy on my IAS to restrict access to the VPN Group, still no success.  Thanks for the reply- JK
can you post the relevant parts of your config (aaa-server, group-policy, and tunnel-group I believe)
I have the same setup at work (minus the vpn group limitation, haven't implemented that part yet) so I know I can help you get this working.  you post what you have, then tomorrow when I get to work, I'll post what I have working for my sites
Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

I thought I would give you some example config so you can see where yours might be whacked.  Here is everything on the ASA you need minus the dhcp config and crypto.  Obviously there are a ton of assumptions in this config like the use of an internal address pool on the ASA rather than proxying addresses from an internal dhcp server.  So please modify as you see fit.

aaa-server RADIUS protocol radius
aaa-server RADIUS host <your radius IP>
 key <your radius shared key>
group-policy <your policy name> internal
group-policy <your policy name> attributes
 wins-server value <your wins server(s)>
 dns-server value <your dns server(s)>
 vpn-idle-timeout 20
 vpn-session-timeout 480
 default-domain value <your internal domain>
tunnel-group <your tunnel name> type ipsec-ra
tunnel-group <your tunnel name> general-attributes
 address-pool <your dhcp pool>
 authentication-server-group RADIUS
 default-group-policy <your policy name>
tunnel-group <your tunnel name> ipsec-attributes
 pre-shared-key <your group auth password>

Now for the windows 2003 IAS server

1.  Verify the clients are handshaking by using the verify button in windows 2003
2.  Create a policy for the ipsec clients in the IAS admin console.  The policy should be:

NAS-Port-Type = Virtual VPN AND Windows-Groups matches "domain\group name".  
if connection attempt matches this condition, GRANT access.

3.  Edit the profile of this remote access policy and under the authentication tab, verify that you have PAP selected as this is the method the ASA will use.

4.  Under connection request processing in the IAS admin console, verify you have not removed the default entry which should read: Use Windows authentication for all users.  This entry should match all connections made every day, all the time.  (If you check the constraints it should have everything highlighted)

Now for the Active Directory part

1.  In active directory, make sure the user is a member of the security group you specified above in the remote access policy.  

2.  Make sure they have "allow access" or "control access through remote access policy" under the dialin tab when viewing their AD user object details.

Now try to connect using one of the IDs you gave permissions to.  Watch the IAS logs as they will almost always tell you what is going on.  

A few side notes to keep in mind... That radius handshake will not pass for any of the following reasons:
1.  The windows account is locked out
2.  The account requires a password reset at next logon
3.  The account is disabled
4.  The account does not have dialin permission
5.  The account is not in the windows group specified in the policy

This also becomes more complex if you add sites and services in to the mix because the IAS server "should" be asking your local DC.  If this hicups at all, it might ask a DC at a different location where the group membership, account lockout, dialin permission, etc. may not yet be replicated... which makes your life a little more difficult.  (this is not a common problem but i have seen it)

Let me know if you need anything else or if this doesnt solve your issue.  I can also post some good syslog filters you can run for VPN auth troubleshooting.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
And since I cant edit my previous post... That verify button on the IAS server is not for validating the handshake.. I havent looked at that in quite a while but I just remembered that its for verifying the hostname so you can skip that part about clicking the verify button in step 1 of the IAS config
cantoneeAuthor Commented:
Hi bdh113-
Thank you for the very much for the comprehensive response.  You may find this hard to believe, but I have done each and every one of the things that you have mentioned.  The one thing that really sticks out to me, is the "pre-shared key/ group authorization password.  I think this is where things are going wrong for me.  In the setup, where it asks for the "common password" if I supply the password for a user that is in the Active Directory Group "VPNAccess" (the one I have defined in the IAS Policy) this user will authorize and authenticate, flawlessly.  However, I need all the members of the Group to have this same authorization....can you assign a common password to a Group?  I obviously do not want them to all have the same password......Thanks again.
what bdh113s is virtually identical to what I had

so it is working then

you can't assign passwords to AD groups.  you can assign pre-shared-keys to the tunnel-groups (like you already have).  authentication beyond that is per user.  this is by design so if you have one user that you want to disable, you don't have to change the password on the group and get it to everyone, easier mgmt basically
I'm actually confused by your use of "common password" .  Are you talking about the tunnel group pre shared key?  Here are the line items that reference this password on the ASA:

tunnel-group <your tunnel name> ipsec-attributes
 pre-shared-key <your group auth password>

If you are indeed talking about this password, then you are correct that this password must be the SAME on every client.  Keep in mind that this is NOT the password they use to log in, but rather the password you configure inthe ipsec VPNClient for group authentication.  When you create a new connection on the vpn client, one of the tabs below says authentication.  This tab says name and password.  The name listed here is the tunnel-group name you configured on the ASA.  The password is the password I mentioned above. This is the same for all users.

When the users connect they send this group name and password to the ASA which defines which settings and security they receive from the ASA.  The ASA then responds by prompting them for their personal username and password which will be their Active directory username and password if they were configured as per my previous post.

If this is not the password you are referring to, then please explain a little further what you are looking for.

This may sound like a silly question, but are you seeing RADIUS info in the event logs on the IAS box?  You should be seeing information about the users authenticating and whether or not it passes.  Specifically, you will see the username, PAP, IP address, group membership, etc about the connection attempt and whether or not it passed the RADIUS checks.

If this doesn't help, let me know and I will post the syslog filters you can put in for VPN authentication troubleshooting.
cantoneeAuthor Commented:
I put the IAS server on another box, only difference being that this one is Server 2003 Ent. Ed. and it took right off and worked.  I didn't change a thing.  One thing I have noticed is that when you uninstall and reinstall IAS on Server 2003 it doesn't reinstall all the factory defaults.  I must have screwed up one of my Remote Access policies while I was tinkering.  Once I applied only what I needed on the new IAS, it worked perfectly.  bdh113 this post will undoubtedly help people trying to accomplish the same thing I am.  Your post will help them immensely.  Thanks-
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.