• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1412
  • Last Modified:

Cannot get Netscreen VPN to Authenticate to RADIUS against Active Directory

I am implementing a VPN solution for a small company and just ran into a problem authenticating a user through RADIUS using NS5GT Firewall+VPN. Here is a brief overview of the current network layout. There are 4 Windows XP machines that belong to a Windows 2003 SBS domain. Exchange and Active Directory are configured properly and everything seems to run smoothly. All this is located behind a NetScreen firewall that also acts as a DHCP server.

I've configured Netscreen's policies (bidirectional) and xAuth to connect to RADIUS on the company's server. I installed IAS and added NetScreen as a client. Also I published IAS in Active directory (by right clicking on IAS (local) and selecting the option for integration with AD). To establish connection from a remote location I use NetScreen Remote VPN Client . I can connect to the firewall without a problem. The problem is I cannot authenticate a user through RADIUS. When I try connecting, a login window pops up for the xAuth use Authentication. When the remote user enters the domain username and password in order to be authenticated by Microsoft IAS and hits enter, the login window comes back up asking to enter the credentials again.

Netscreen log returns this error: "User [username] belongs to a different group in the RADIUS server than one allowed in the device" I checked Windows Event Log and it says:

User [username] was granted access.
 Fully-Qualified-User-Name = business.local/MyBusiness/Users/SBSUsers/[username]
 NAS-IP-Address =
 NAS-Identifier = <not present>
 Client-Friendly-Name = NetScreen
 Client-IP-Address =
 Calling-Station-Identifier = <not present>
 NAS-Port-Type = Virtual
 NAS-Port = 18
 Proxy-Policy-Name = Use Windows authentication for all users
 Authentication-Provider = Windows
 Authentication-Server = <undetermined>
 Policy-Name = VPN Connections Authentication
 Authentication-Type = PAP
 EAP-Type = <undetermined>

I've tried restarting IAS service but without any luck. I can't figure out if the problem is with the firewall setup or is RADIUS not integrated with AD properly. I would appreciate your suggestions
  • 4
  • 2
1 Solution
Found this in Junipers support site


Detailed setup info. Worth a read.

Seems to me a config issue on the RADIUS server for the RAS client device (ur Netscree)
matrixrealityAuthor Commented:
Still no luck :(
matrixrealityAuthor Commented:
I was finally able to resolve the login issue by changing the Value in IAS policies to the same group name as set in Netscreen. Now when the connection is established I have another problem during Firewall Authentication. When I try to enter a username and password during HTTP authentication to the client machine I get a timeout in the browser. It would ask me in the beginning for un and pw but it doesn't do it anymore for some reason. Anyway, even though I established the connection to the subnet and the IP pool assigned me an IP address, I cannot access any of the network resources because it won't go through the Firewall Authentication.

Can anyone advise on what I can do to resolve this issues?

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

are there any logs showing dropped packets when you try accessing the resources or when the authentication fails.

Try using HTTPwatch (www.httpwatch.com) to see the browser conversations that will give where there is a failure (if any)
matrixrealityAuthor Commented:
Thank you, rbkumaran for the suggestion. I stalled HTTP Watch and here is the log randomideals.com/log.hwl

It returns a 401 error - Unauthorized. I don't quite get it, because it authorizes me the first time around. I figured out that when I establish the VPN connection and go through the first layer of authentication, I get an IP addreess from the IP Pool but I cannot ping any devices on the network besides the firewall and myself. I am truly lost here. I really need to figure this out in the next couple of hours, otherwise the client won't be happy :(
matrixrealityAuthor Commented:
I solved the issue by disabling the Firewall Authentication in NetScreen config.
PAQed with points refunded (500)

EE Admin

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now