cacv12000
asked on
Change RADIUS server that Cisco PIX 506E uses for VPN authentication
Hello,
We are getting rid of a server in our domain that happens to be the IAS RADIUS server that our Cisco PIX uses for VPN authentication. I'm trying to change the PIX conf so it looks at the new server instead of the old.
Here's what I did:
pix# aaa-server RADIUS (inside) host NEWSERVER secretpassword timeout 30
pix# no aaa-server RADIUS (inside) host OLDSERVER secretpassword timeout 30
On the new IAS server I created an access policy exactly the same as on the old server and registered the new IAS server in Active Directory.
Now when I try to VPN in, I get an access denied message in the Event Viewer of the the new IAS server for my user name and/or password. Eventually after a few tries, my account becomes locked out in AD. I have Dial-In access enabled and I'm able to log into the domain just fine.
Any Suggestions?
Thanks!
We are getting rid of a server in our domain that happens to be the IAS RADIUS server that our Cisco PIX uses for VPN authentication. I'm trying to change the PIX conf so it looks at the new server instead of the old.
Here's what I did:
pix# aaa-server RADIUS (inside) host NEWSERVER secretpassword timeout 30
pix# no aaa-server RADIUS (inside) host OLDSERVER secretpassword timeout 30
On the new IAS server I created an access policy exactly the same as on the old server and registered the new IAS server in Active Directory.
Now when I try to VPN in, I get an access denied message in the Event Viewer of the the new IAS server for my user name and/or password. Eventually after a few tries, my account becomes locked out in AD. I have Dial-In access enabled and I'm able to log into the domain just fine.
Any Suggestions?
Thanks!
From the PIX Conf
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host NEWSERVER secretpassword timeout 30
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
crypto map vpnmap client authentication RADIUS
Here's the Event from the new IAS server:
Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 3/4/2008
Time: 3:51:46 PM
User: N/A
Computer: NEWSERVER
Description:
User myusername was denied access.
Fully-Qualified-User-Name = DOMAIN\myusername
NAS-IP-Address = 192.168.0.1
NAS-Identifier = <not present>
Called-Station-Identifier = <not present>
Calling-Station-Identifier = ###.###.###.###
Client-Friendly-Name = PIX Firewall
Client-IP-Address = 192.168.0.1
NAS-Port-Type = <not present>
NAS-Port = 146
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = <undetermined>
Authentication-Type = PAP
EAP-Type = <undetermined>
Reason-Code = 16
Reason = Authentication was not successful because an unknown user name or incorrect password was used.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2e 05 07 80 ...?
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
great . please apply the article and post the feedback :)
do not forget to close the question with the appropriate action when it is solved.
waiting for your reply
do not forget to close the question with the appropriate action when it is solved.
waiting for your reply
ASKER
I got it to work on another Windows 2003 Server in our domain without having to apply the hotfix.
I did run into the following error though:
User DOMAIN\username was denied access.
Fully-Qualified-User-Name = domain.com/Users/username
NAS-IP-Address = 192.168.0.1
NAS-Identifier = <not present>
Called-Station-Identifier = <not present>
Calling-Station-Identifier = ###.###.###.###
Client-Friendly-Name = PIX Firewall
Client-IP-Address = 192.168.0.1
NAS-Port-Type = <not present>
NAS-Port = 221
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = VPN Access
Authentication-Type = PAP
EAP-Type = <undetermined>
Reason-Code = 66
Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
I fixed that by checking the correct authentication method (PAP) in the access policy and restarted the IAS service. My PIX conf above was correct.
Thanks!
I did run into the following error though:
User DOMAIN\username was denied access.
Fully-Qualified-User-Name = domain.com/Users/username
NAS-IP-Address = 192.168.0.1
NAS-Identifier = <not present>
Called-Station-Identifier = <not present>
Calling-Station-Identifier
Client-Friendly-Name = PIX Firewall
Client-IP-Address = 192.168.0.1
NAS-Port-Type = <not present>
NAS-Port = 221
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = VPN Access
Authentication-Type = PAP
EAP-Type = <undetermined>
Reason-Code = 66
Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
I fixed that by checking the correct authentication method (PAP) in the access policy and restarted the IAS service. My PIX conf above was correct.
Thanks!
Good News Glad you are fixed :)
Have you found a resolution to your problem cacv12000 as I have the same issue as you?
Whenever I try and connect as a client I get an error in the event viewer saying: There was an authentication failure of an unknown username or a bad password
The server that's not working is shown as
Fully-Qualified-User-Name = Domain name\username
I think it's because when people connect via VPN, the server can't find the username at that specific location in AD.
One thing I am not sure about is, can you have a DC that was named 'server_name', then demote it from being a domain controller to a member server and then delete out of AD. Then bring on another server as the same name and make that a DC and run IAS on it.?? Somehow does AD not like this and leave remenance of the old server name there.
Any help would be most appreciated
Whenever I try and connect as a client I get an error in the event viewer saying: There was an authentication failure of an unknown username or a bad password
The server that's not working is shown as
Fully-Qualified-User-Name = Domain name\username
I think it's because when people connect via VPN, the server can't find the username at that specific location in AD.
One thing I am not sure about is, can you have a DC that was named 'server_name', then demote it from being a domain controller to a member server and then delete out of AD. Then bring on another server as the same name and make that a DC and run IAS on it.?? Somehow does AD not like this and leave remenance of the old server name there.
Any help would be most appreciated
Old Link above see http://petenetlive.com/KB/Article/0000071.htm instead
ASKER