• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1415
  • Last Modified:

Cannot get Netscreen VPN to Authenticate to RADIUS against Active Directory

I am implementing a VPN solution for a small company and just ran into a problem authenticating a user through RADIUS using NS5GT Firewall+VPN. Here is a brief overview of the current network layout. There are 4 Windows XP machines that belong to a Windows 2003 SBS domain. Exchange and Active Directory are configured properly and everything seems to run smoothly. All this is located behind a NetScreen firewall that also acts as a DHCP server.

I've configured Netscreen's policies (bidirectional) and xAuth to connect to RADIUS on the company's server. I installed IAS and added NetScreen as a client. Also I published IAS in Active directory (by right clicking on IAS (local) and selecting the option for integration with AD). To establish connection from a remote location I use NetScreen Remote VPN Client . I can connect to the firewall without a problem. The problem is I cannot authenticate a user through RADIUS. When I try connecting, a login window pops up for the xAuth use Authentication. When the remote user enters the domain username and password in order to be authenticated by Microsoft IAS and hits enter, the login window comes back up asking to enter the credentials again.

Netscreen log returns this error: "User [username] belongs to a different group in the RADIUS server than one allowed in the device" I checked Windows Event Log and it says:

User [username] was granted access.
 Fully-Qualified-User-Name = business.local/MyBusiness/Users/SBSUsers/[username]
 NAS-IP-Address =
 NAS-Identifier = <not present>
 Client-Friendly-Name = NetScreen
 Client-IP-Address =
 Calling-Station-Identifier = <not present>
 NAS-Port-Type = Virtual
 NAS-Port = 18
 Proxy-Policy-Name = Use Windows authentication for all users
 Authentication-Provider = Windows
 Authentication-Server = <undetermined>
 Policy-Name = VPN Connections Authentication
 Authentication-Type = PAP
 EAP-Type = <undetermined>

I've tried restarting IAS service but without any luck. I can't figure out if the problem is with the firewall setup or is RADIUS not integrated with AD properly. I would appreciate your suggestions
  • 4
  • 2
1 Solution
Found this in Junipers support site


Detailed setup info. Worth a read.

Seems to me a config issue on the RADIUS server for the RAS client device (ur Netscree)
matrixrealityAuthor Commented:
Still no luck :(
matrixrealityAuthor Commented:
I was finally able to resolve the login issue by changing the Value in IAS policies to the same group name as set in Netscreen. Now when the connection is established I have another problem during Firewall Authentication. When I try to enter a username and password during HTTP authentication to the client machine I get a timeout in the browser. It would ask me in the beginning for un and pw but it doesn't do it anymore for some reason. Anyway, even though I established the connection to the subnet and the IP pool assigned me an IP address, I cannot access any of the network resources because it won't go through the Firewall Authentication.

Can anyone advise on what I can do to resolve this issues?
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

are there any logs showing dropped packets when you try accessing the resources or when the authentication fails.

Try using HTTPwatch (www.httpwatch.com) to see the browser conversations that will give where there is a failure (if any)
matrixrealityAuthor Commented:
Thank you, rbkumaran for the suggestion. I stalled HTTP Watch and here is the log randomideals.com/log.hwl

It returns a 401 error - Unauthorized. I don't quite get it, because it authorizes me the first time around. I figured out that when I establish the VPN connection and go through the first layer of authentication, I get an IP addreess from the IP Pool but I cannot ping any devices on the network besides the firewall and myself. I am truly lost here. I really need to figure this out in the next couple of hours, otherwise the client won't be happy :(
matrixrealityAuthor Commented:
I solved the issue by disabling the Firewall Authentication in NetScreen config.
PAQed with points refunded (500)

EE Admin
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now