Cannot get Netscreen VPN to Authenticate to RADIUS against Active Directory
Posted on 2007-10-09
I am implementing a VPN solution for a small company and just ran into a problem authenticating a user through RADIUS using NS5GT Firewall+VPN. Here is a brief overview of the current network layout. There are 4 Windows XP machines that belong to a Windows 2003 SBS domain. Exchange and Active Directory are configured properly and everything seems to run smoothly. All this is located behind a NetScreen firewall that also acts as a DHCP server.
I've configured Netscreen's policies (bidirectional) and xAuth to connect to RADIUS on the company's server. I installed IAS and added NetScreen as a client. Also I published IAS in Active directory (by right clicking on IAS (local) and selecting the option for integration with AD). To establish connection from a remote location I use NetScreen Remote VPN Client . I can connect to the firewall without a problem. The problem is I cannot authenticate a user through RADIUS. When I try connecting, a login window pops up for the xAuth use Authentication. When the remote user enters the domain username and password in order to be authenticated by Microsoft IAS and hits enter, the login window comes back up asking to enter the credentials again.
Netscreen log returns this error: "User [username] belongs to a different group in the RADIUS server than one allowed in the device" I checked Windows Event Log and it says:
User [username] was granted access.
Fully-Qualified-User-Name = business.local/MyBusiness/Users/SBSUsers/[username]
NAS-IP-Address = 192.168.1.32
NAS-Identifier = <not present>
Client-Friendly-Name = NetScreen
Client-IP-Address = 192.168.1.32
Calling-Station-Identifier = <not present>
NAS-Port-Type = Virtual
NAS-Port = 18
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = VPN Connections Authentication
Authentication-Type = PAP
EAP-Type = <undetermined>
I've tried restarting IAS service but without any luck. I can't figure out if the problem is with the firewall setup or is RADIUS not integrated with AD properly. I would appreciate your suggestions