Link to home
Create AccountLog in
Avatar of doregoborrego
doregoborrego

asked on

VPN - CISCO PIX501 & IAS CISCO CLIENT Authentication issue

Hello

I am trying to setup a vpn through Cisco VPN Client software  conneting to a pix 501 using IAS on windows 2003

I followed the guide posted  https://www.experts-exchange.com/questions/21254709/PIX-501-VPN-Configuration.html..

When i try to connect using the Vpn client a cisco box comes up stating that server requires further authentication (presuming this is the IAS server requesting)  I have tried using a my AD user name and password but just bounces back not a valid user name or password???

Any ideas?

One bit that i am not sure about is what my radius cliets should be? i have just created a client for the PIX and the IP address of the same, Is this wrong? If so what should my ' Clients' be???

Cheers

Dorego

More Info:

User Authentication:
 

The server has requested the following information to complete the user authentication
 
U
P
 
 
Secure VPN Connection terminated locally by the client.
Reason 413: user authentication failed.

Avatar of btassure
btassure
Flag of United Kingdom of Great Britain and Northern Ireland image

You need to go into the connection profile and enable the other, less secure, authentication methods. As the PIX is relaying the password it makes and authentication request to RADIUS/IAS using PAP (I think). I just enable all the authentication methods personally.

Open IAS -> Remote Access Policies -> Right click on your policy and go to properties -> Edit profile -> Authentication tab -> Check all the boxes. Save and close.
Avatar of doregoborrego
doregoborrego

ASKER

Thanks for your reply

All Authentication methods are checked allready???

Cheers

Can you check your system log on the IAS server? It should show the events generated by IAS. At the bottom of the failures (will show as errors in the log) it will give the reason for the failure. Can you copy and paste the event here please?
Thanks

Is this what you mean?
Use Windows authentication for all users,4108,192.168.0.254,4116,0,4128,PIX,4155,1,4136,3,4142,16

Cheers

Erm,

is that the event from Windows Event Viewer?

Sorry , that was from the IAS log file: Copy Event Id Below.

Cheers



Event Type:      Warning
Event Source:      IAS
Event Category:      None
Event ID:      2
Date:            11/08/2008
Time:            12:23:36
User:            N/A
Computer:      XXXXXXXXXX
Description:
User XXXXXXXXX was denied access.
 Fully-Qualified-User-Name = XXXXXXXXXXX
 NAS-IP-Address = 192.168.0.254 {ADDRESS OF PIX}
 NAS-Identifier = <not present>
 Called-Station-Identifier = <not present>
 Calling-Station-Identifier = 80.193.182.22
 Client-Friendly-Name = PIX
 Client-IP-Address = 192.168.0.254
 NAS-Port-Type = <not present>
 NAS-Port = 47
 Proxy-Policy-Name = Use Windows authentication for all users
 Authentication-Provider = Windows
 Authentication-Server = <undetermined>
 Policy-Name = <undetermined>
 Authentication-Type = PAP
 EAP-Type = <undetermined>
 Reason-Code = 16
 Reason = Authentication was not successful because an unknown user name or incorrect password was used.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2e 05 07 80               ...€    
That's a password error. See the bottom line.

It is also possible that the user is not in the correct group or does not have dialin permissions set. Check the policy to see if they need to be in a group or not and confirm the user's status. Also check the user accoutn in AD and make sure that on the dialin tab they are set to allow access.
Hello

User account enabled in AD.

When you talk about Group. What do you mean exactly, which group?

I don't think my Radius client is right, below is what i called my radius client is this correct:

Client-Friendly-Name = PIX
 Client-IP-Address = 192.168.0.254 (address of Pix)

Cheers

Alex.
Is there anything in "Remote Policy Conditions" in the Remote Access Policy in IAS?
reply No, just time restrictions which are all permitted...

Other than that it just looks like a wrong password. You aren't using a domain prefix with it or anything are you? It should just be username and password. NOT domain\username or username@domain!
Tried it with all the the various prefixes.... but will double check again tonight...

Thanks for you help, appreciated.

Cheers
Try creating a test account or something...
After a fair amount of testing still no joy....

Used IAS logger, and when a user tries to connect get three rejections then locked out errors. When we check in AD - account is locked out so they are talking...

Tried this with a number of users still the same...

Got to be something stupid....


<connect StartDateTime="08/12/2008 12:16:29" UserName="XXXXXX" StopDateTime="08/12/2008 12:16:29" Duration="00:00:00" UserIP="0.0.0.0" OutputOctets="0" InputOctets="0" ConnectRequest="IAS_AUTH_FAILURE" ConnectResult="Rejected" />
  <connect StartDateTime="08/12/2008 12:16:34" UserName="XXXXXX" StopDateTime="08/12/2008 12:16:34" Duration="00:00:00" UserIP="0.0.0.0" OutputOctets="0" InputOctets="0" ConnectRequest="IAS_AUTH_FAILURE" ConnectResult="Rejected" />
  <connect StartDateTime="08/12/2008 12:16:39" UserName="XXXXXX" StopDateTime="08/12/2008 12:16:39" Duration="00:00:00" UserIP="0.0.0.0" OutputOctets="0" InputOctets="0" ConnectRequest="IAS_AUTH_FAILURE" ConnectResult="Rejected" />
  <connect StartDateTime="08/12/2008 12:16:44" UserName="XXXXXX" StopDateTime="08/12/2008 12:16:44" Duration="00:00:00" UserIP="0.0.0.0" OutputOctets="0" InputOctets="0" ConnectRequest="IAS_AUTH_FAILURE" ConnectResult="Rejected" />
  <connect StartDateTime="08/12/2008 12:19:20" UserName="XXXXXX" StopDateTime="08/12/2008 12:19:20" Duration="00:00:00" UserIP="0.0.0.0" OutputOctets="0" InputOctets="0" ConnectRequest="IAS_ACCOUNT_LOCKED_OUT" ConnectResult="Rejected" />
  <connect StartDateTime="08/12/2008 12:19:25" UserName="XXXXXX" StopDateTime="08/12/2008 12:19:25" Duration="00:00:00" UserIP="0.0.0.0" OutputOctets="0" InputOctets="0" ConnectRequest="IAS_ACCOUNT_LOCKED_OUT" ConnectResult="Rejected" />
  <connect StartDateTime="08/12/2008 12:19:30" UserName="XXXXXX" StopDateTime="08/12/2008 12:19:30" Duration="00:00:00" UserIP="0.0.0.0" OutputOctets="0" InputOctets="0" ConnectRequest="IAS_ACCOUNT_LOCKED_OUT" ConnectResult="Rejected" />

Open in new window

This is a copy of the IAS event Log, if it helps, oh please help?????


Event Type:      Warning
Event Source:      IAS
Event Category:      None
Event ID:      2
Date:            12/08/2008
Time:            16:28:29
User:            N/A
Computer:      XXXXXX\user
Description:
User XXXXXX was denied access.
 Fully-Qualified-User-Name = XXXXXXXX\XXXXX
 NAS-IP-Address = 192.168.0.254
 NAS-Identifier = <not present>
 Called-Station-Identifier = <not present>
 Calling-Station-Identifier = 80.193.182.22
 Client-Friendly-Name = PIXFIREWALL
 Client-IP-Address = 192.168.0.254
 NAS-Port-Type = <not present>
 NAS-Port = 139
 Proxy-Policy-Name = Time
 Authentication-Provider = Windows
 Authentication-Server = <undetermined>
 Policy-Name = <undetermined>
 Authentication-Type = PAP
 EAP-Type = <undetermined>
 Reason-Code = 16
 Reason = Authentication was not successful because an unknown user name or incorrect password was used.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2e 05 07 80               ...€    
Can you post your PIX config as well please? Everything here looks fine other than the password failure. Perhaps it is being encrypted incorrectly or something?
Thanks for your persistance!!!!


PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 78lewVzVYCLh7BVs encrypted
passwd a.mMzDvcg4m1tOyh encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit tcp any interface outside eq smtp
access-list outside_in permit tcp any interface outside eq www
access-list outside_in permit tcp any interface outside eq https
access-list outside_in permit tcp any interface outside eq pop3
access-list VPN permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list ping_acl permit ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute retry 4
ip address inside 192.168.0.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.2.1-192.168.2.100
pdm location 192.168.0.44 255.255.255.255 inside
pdm location 192.168.0.100 255.255.255.255 inside
pdm location 82.110.35.82 255.255.255.255 outside
pdm location 192.168.2.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list VPN
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface smtp 192.168.0.150 smtp dns netmask 255.25
5.255.255 0 0
static (inside,outside) tcp interface pop3 192.168.0.150 pop3 dns netmask 255.25
5.255.255 0 0
static (inside,outside) tcp interface www 192.168.0.150 www dns netmask 255.255.
255.255 0 0
static (inside,outside) tcp interface https 192.168.0.150 https dns netmask 255.
255.255.255 0 0
access-group outside_in in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth max-failed-attempts 3
aaa-server partnerauth deadtime 10
aaa-server partnerauth (inside) host 192.168.0.150 pixfirewall timeout 5
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 1 ipsec-isakmp dynamic dynmap
crypto map mymap client authentication partnerauth
crypto map mymap interface outside
isakmp enable outside
isakmp enable inside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn3000 address-pool ippool
vpngroup vpn3000 dns-server 192.168.0.170
vpngroup vpn3000 wins-server 192.168.0.170
vpngroup vpn3000 default-domain XXXXXXX
vpngroup vpn3000 split-tunnel VPN
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 60
console timeout 0
dhcpd address 192.168.0.180-192.168.0.250 inside
dhcpd dns 192.168.0.170
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain XXXXXXX
dhcpd enable inside
username XXXXXXXXX password NY5Q.xo4bTPvu3gL encrypted privilege 15 {NOT SURE WHAT THIS IS HERE FOR}
terminal width 80
Cryptochecksum:e2f0384fa38c9026f2db7a7b70a9dd8f
: end
[OK]
pixfirewall(config)#
Just Some Screen Grabs of IAS settings

Doing my head in!!
ScreenShot001.jpg
ScreenShot002.jpg
ScreenShot003.jpg
I doubt it would make enough of a difference to get the errors you are seeing but I would set the client type to Cisco (it should be in the drop down) as the vendors do all differ slightly in their implementation so IAS may be expecting a different data type...
Tried with fingers crossed but no Joy!!!!

 I am currentlty tring to set this up on a member server.

I set IAS up on the domain controller and pointed the firewqall to this and  still get the same result...

Have you authorised the server to use AD?
Erm,

have you rebooted? I'm running out of ideas...
So Am I.....  Will reboot, put a pencil behind my ear, and hop on one leg...
Fingers crossed here for you :o)
No, No joy... wonder if i should try the other ear!!!

Don't know what to do now...

Stumped,,,, any ideas on any work arrounds or alternative methods

Cheers
Take a backup of the PIX config, remove anything relating to AAA or VPN, save it, reload it and then reenter those bits one at a time. Back to basics.
re-configured all of the Pix and still no joy.

Got to be something in the way i have configured IAS

Get this in the Security event log, when a try and log in by VPN?


Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      680
Date:            18/08/2008
Time:            14:55:55
User:            NT AUTHORITY\SYSTEM
Computer:      **********
Description:
Logon attempt by:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account:      *********
 Source Workstation:      
 Error Code:      0xC0000234


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
All the events you are pasting are saying it is an auth issue - generally a bad password but I don't believe you are getting it wrong every time. I assume you have reset it to something simple like password and tested?

buggered if i know whats up with it....

Could i just set up a VPN through Windows server 2003 and get the Pix to forward directly to VPN Server???

If so , is this less secure than through the pix, what other issues might be considered?

Cheers
Forwarding ports for a proper IPsec session will be a pain.  PPTP would be easier. Still not a great solution though.

There are ways to test AAA from the ASA itself:
http://ciscotips.wordpress.com/2006/05/03/testing-remote-authentication-of-users-on-wireless-network/
ASKER CERTIFIED SOLUTION
Avatar of peterellis
peterellis

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
I actually sacked off this a number of months ago... but need to look at this again.. Will setup early this week and see if we can sort this out.

doregoborrego:

Just wondering if you have any further developments on this project??.
I'm still working on this at my end.
doregoborrego:
Just had a break though at my end, make sure you input the correct 'shared secret' key into the IAS server's configuration. The key is inputed on the screen where you input the friendly name, the IP address etc. Get back to me if you need more assistance. Hope you get yours working.
Ok Peter

Got this pencilled in for early next week

Will give it a whirl

Fingers crossed!!
god, treid this again now from home and still no joy....

Just would not authenticate when it asked for U/P - error 413...

I know its passing info on to the server  because my smartphone is asking for my password, meaning I have been locked out!!!! -



Still Holding out for a solution to this.

Some screen dumps from IAS log - Seems to authenticate then its rejected straight after!!!
Duplicate-File-Names022.jpg
Duplicate-File-Names021.jpg
think i Might have cracked it .... will test further tonight.

But peter ellis suggestion about checking that the: shared secret 'pixfirewall

Pix Command
aaa-server partnerauth (inside) host 192.168.0.xxx 'pixfirewall' timeout 5

and then in IAS settings
are the same ( this is not asking for the PRE-SHARED Key as I have foolishly discovered).

Also Neet to assign VPN POOL IP

as detailed here: https://www.experts-exchange.com/questions/23568428/CISCO-PIX-VPN-Tunnels-backend-to-an-IAS-server.html



ScreenShot025.jpg
Did anyone find a solution to this?