Cannot get Netscreen VPN to Authenticate to RADIUS against Active Directory

Posted on 2007-10-09
Last Modified: 2008-12-06
I am implementing a VPN solution for a small company and just ran into a problem authenticating a user through RADIUS using NS5GT Firewall+VPN. Here is a brief overview of the current network layout. There are 4 Windows XP machines that belong to a Windows 2003 SBS domain. Exchange and Active Directory are configured properly and everything seems to run smoothly. All this is located behind a NetScreen firewall that also acts as a DHCP server.

I've configured Netscreen's policies (bidirectional) and xAuth to connect to RADIUS on the company's server. I installed IAS and added NetScreen as a client. Also I published IAS in Active directory (by right clicking on IAS (local) and selecting the option for integration with AD). To establish connection from a remote location I use NetScreen Remote VPN Client . I can connect to the firewall without a problem. The problem is I cannot authenticate a user through RADIUS. When I try connecting, a login window pops up for the xAuth use Authentication. When the remote user enters the domain username and password in order to be authenticated by Microsoft IAS and hits enter, the login window comes back up asking to enter the credentials again.

Netscreen log returns this error: "User [username] belongs to a different group in the RADIUS server than one allowed in the device" I checked Windows Event Log and it says:

User [username] was granted access.
 Fully-Qualified-User-Name = business.local/MyBusiness/Users/SBSUsers/[username]
 NAS-IP-Address =
 NAS-Identifier = <not present>
 Client-Friendly-Name = NetScreen
 Client-IP-Address =
 Calling-Station-Identifier = <not present>
 NAS-Port-Type = Virtual
 NAS-Port = 18
 Proxy-Policy-Name = Use Windows authentication for all users
 Authentication-Provider = Windows
 Authentication-Server = <undetermined>
 Policy-Name = VPN Connections Authentication
 Authentication-Type = PAP
 EAP-Type = <undetermined>

I've tried restarting IAS service but without any luck. I can't figure out if the problem is with the firewall setup or is RADIUS not integrated with AD properly. I would appreciate your suggestions
Question by:matrixreality
    LVL 6

    Expert Comment

    Found this in Junipers support site

    Detailed setup info. Worth a read.

    Seems to me a config issue on the RADIUS server for the RAS client device (ur Netscree)

    Author Comment

    Still no luck :(

    Author Comment

    I was finally able to resolve the login issue by changing the Value in IAS policies to the same group name as set in Netscreen. Now when the connection is established I have another problem during Firewall Authentication. When I try to enter a username and password during HTTP authentication to the client machine I get a timeout in the browser. It would ask me in the beginning for un and pw but it doesn't do it anymore for some reason. Anyway, even though I established the connection to the subnet and the IP pool assigned me an IP address, I cannot access any of the network resources because it won't go through the Firewall Authentication.

    Can anyone advise on what I can do to resolve this issues?
    LVL 6

    Expert Comment

    are there any logs showing dropped packets when you try accessing the resources or when the authentication fails.

    Try using HTTPwatch ( to see the browser conversations that will give where there is a failure (if any)

    Author Comment

    Thank you, rbkumaran for the suggestion. I stalled HTTP Watch and here is the log

    It returns a 401 error - Unauthorized. I don't quite get it, because it authorizes me the first time around. I figured out that when I establish the VPN connection and go through the first layer of authentication, I get an IP addreess from the IP Pool but I cannot ping any devices on the network besides the firewall and myself. I am truly lost here. I really need to figure this out in the next couple of hours, otherwise the client won't be happy :(

    Author Comment

    I solved the issue by disabling the Firewall Authentication in NetScreen config.
    LVL 1

    Accepted Solution

    PAQed with points refunded (500)

    EE Admin

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Threat Intelligence Starter Resources

    Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

    Suggested Solutions

    Join Greg Farro and Ethan Banks from Packet Pushers ( and Greg Ross from Paessler ( for a discussion about smart network …
    If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    9 Experts available now in Live!

    Get 1:1 Help Now