doregoborrego
asked on
VPN - CISCO PIX501 & IAS CISCO CLIENT Authentication issue
Hello
I am trying to setup a vpn through Cisco VPN Client software conneting to a pix 501 using IAS on windows 2003
I followed the guide posted https://www.experts-exchange.com/questions/21254709/PIX-501-VPN-Configuration.html..
When i try to connect using the Vpn client a cisco box comes up stating that server requires further authentication (presuming this is the IAS server requesting) I have tried using a my AD user name and password but just bounces back not a valid user name or password???
Any ideas?
One bit that i am not sure about is what my radius cliets should be? i have just created a client for the PIX and the IP address of the same, Is this wrong? If so what should my ' Clients' be???
Cheers
Dorego
More Info:
User Authentication:
The server has requested the following information to complete the user authentication
U
P
Secure VPN Connection terminated locally by the client.
Reason 413: user authentication failed.
I am trying to setup a vpn through Cisco VPN Client software conneting to a pix 501 using IAS on windows 2003
I followed the guide posted https://www.experts-exchange.com/questions/21254709/PIX-501-VPN-Configuration.html..
When i try to connect using the Vpn client a cisco box comes up stating that server requires further authentication (presuming this is the IAS server requesting) I have tried using a my AD user name and password but just bounces back not a valid user name or password???
Any ideas?
One bit that i am not sure about is what my radius cliets should be? i have just created a client for the PIX and the IP address of the same, Is this wrong? If so what should my ' Clients' be???
Cheers
Dorego
More Info:
User Authentication:
The server has requested the following information to complete the user authentication
U
P
Secure VPN Connection terminated locally by the client.
Reason 413: user authentication failed.
ASKER
Thanks for your reply
All Authentication methods are checked allready???
Cheers
All Authentication methods are checked allready???
Cheers
Can you check your system log on the IAS server? It should show the events generated by IAS. At the bottom of the failures (will show as errors in the log) it will give the reason for the failure. Can you copy and paste the event here please?
ASKER
Thanks
Is this what you mean?
Use Windows authentication for all users,4108,192.168.0.254,4 116,0,4128 ,PIX,4155, 1,4136,3,4 142,16
Cheers
Is this what you mean?
Use Windows authentication for all users,4108,192.168.0.254,4
Cheers
Erm,
is that the event from Windows Event Viewer?
is that the event from Windows Event Viewer?
ASKER
Sorry , that was from the IAS log file: Copy Event Id Below.
Cheers
Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 11/08/2008
Time: 12:23:36
User: N/A
Computer: XXXXXXXXXX
Description:
User XXXXXXXXX was denied access.
Fully-Qualified-User-Name = XXXXXXXXXXX
NAS-IP-Address = 192.168.0.254 {ADDRESS OF PIX}
NAS-Identifier = <not present>
Called-Station-Identifier = <not present>
Calling-Station-Identifier
Client-Friendly-Name = PIX
Client-IP-Address = 192.168.0.254
NAS-Port-Type = <not present>
NAS-Port = 47
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = <undetermined>
Authentication-Type = PAP
EAP-Type = <undetermined>
Reason-Code = 16
Reason = Authentication was not successful because an unknown user name or incorrect password was used.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2e 05 07 80 ...€
That's a password error. See the bottom line.
It is also possible that the user is not in the correct group or does not have dialin permissions set. Check the policy to see if they need to be in a group or not and confirm the user's status. Also check the user accoutn in AD and make sure that on the dialin tab they are set to allow access.
It is also possible that the user is not in the correct group or does not have dialin permissions set. Check the policy to see if they need to be in a group or not and confirm the user's status. Also check the user accoutn in AD and make sure that on the dialin tab they are set to allow access.
ASKER
Hello
User account enabled in AD.
When you talk about Group. What do you mean exactly, which group?
I don't think my Radius client is right, below is what i called my radius client is this correct:
Client-Friendly-Name = PIX
Client-IP-Address = 192.168.0.254 (address of Pix)
Cheers
Alex.
User account enabled in AD.
When you talk about Group. What do you mean exactly, which group?
I don't think my Radius client is right, below is what i called my radius client is this correct:
Client-Friendly-Name = PIX
Client-IP-Address = 192.168.0.254 (address of Pix)
Cheers
Alex.
Is there anything in "Remote Policy Conditions" in the Remote Access Policy in IAS?
ASKER
reply No, just time restrictions which are all permitted...
Other than that it just looks like a wrong password. You aren't using a domain prefix with it or anything are you? It should just be username and password. NOT domain\username or username@domain!
ASKER
Tried it with all the the various prefixes.... but will double check again tonight...
Thanks for you help, appreciated.
Cheers
Thanks for you help, appreciated.
Cheers
Try creating a test account or something...
ASKER
After a fair amount of testing still no joy....
Used IAS logger, and when a user tries to connect get three rejections then locked out errors. When we check in AD - account is locked out so they are talking...
Tried this with a number of users still the same...
Got to be something stupid....
Used IAS logger, and when a user tries to connect get three rejections then locked out errors. When we check in AD - account is locked out so they are talking...
Tried this with a number of users still the same...
Got to be something stupid....
<connect StartDateTime="08/12/2008 12:16:29" UserName="XXXXXX" StopDateTime="08/12/2008 12:16:29" Duration="00:00:00" UserIP="0.0.0.0" OutputOctets="0" InputOctets="0" ConnectRequest="IAS_AUTH_FAILURE" ConnectResult="Rejected" />
<connect StartDateTime="08/12/2008 12:16:34" UserName="XXXXXX" StopDateTime="08/12/2008 12:16:34" Duration="00:00:00" UserIP="0.0.0.0" OutputOctets="0" InputOctets="0" ConnectRequest="IAS_AUTH_FAILURE" ConnectResult="Rejected" />
<connect StartDateTime="08/12/2008 12:16:39" UserName="XXXXXX" StopDateTime="08/12/2008 12:16:39" Duration="00:00:00" UserIP="0.0.0.0" OutputOctets="0" InputOctets="0" ConnectRequest="IAS_AUTH_FAILURE" ConnectResult="Rejected" />
<connect StartDateTime="08/12/2008 12:16:44" UserName="XXXXXX" StopDateTime="08/12/2008 12:16:44" Duration="00:00:00" UserIP="0.0.0.0" OutputOctets="0" InputOctets="0" ConnectRequest="IAS_AUTH_FAILURE" ConnectResult="Rejected" />
<connect StartDateTime="08/12/2008 12:19:20" UserName="XXXXXX" StopDateTime="08/12/2008 12:19:20" Duration="00:00:00" UserIP="0.0.0.0" OutputOctets="0" InputOctets="0" ConnectRequest="IAS_ACCOUNT_LOCKED_OUT" ConnectResult="Rejected" />
<connect StartDateTime="08/12/2008 12:19:25" UserName="XXXXXX" StopDateTime="08/12/2008 12:19:25" Duration="00:00:00" UserIP="0.0.0.0" OutputOctets="0" InputOctets="0" ConnectRequest="IAS_ACCOUNT_LOCKED_OUT" ConnectResult="Rejected" />
<connect StartDateTime="08/12/2008 12:19:30" UserName="XXXXXX" StopDateTime="08/12/2008 12:19:30" Duration="00:00:00" UserIP="0.0.0.0" OutputOctets="0" InputOctets="0" ConnectRequest="IAS_ACCOUNT_LOCKED_OUT" ConnectResult="Rejected" />
ASKER
This is a copy of the IAS event Log, if it helps, oh please help?????
Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 12/08/2008
Time: 16:28:29
User: N/A
Computer: XXXXXX\user
Description:
User XXXXXX was denied access.
Fully-Qualified-User-Name = XXXXXXXX\XXXXX
NAS-IP-Address = 192.168.0.254
NAS-Identifier = <not present>
Called-Station-Identifier = <not present>
Calling-Station-Identifier = 80.193.182.22
Client-Friendly-Name = PIXFIREWALL
Client-IP-Address = 192.168.0.254
NAS-Port-Type = <not present>
NAS-Port = 139
Proxy-Policy-Name = Time
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = <undetermined>
Authentication-Type = PAP
EAP-Type = <undetermined>
Reason-Code = 16
Reason = Authentication was not successful because an unknown user name or incorrect password was used.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2e 05 07 80 ...€
Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 12/08/2008
Time: 16:28:29
User: N/A
Computer: XXXXXX\user
Description:
User XXXXXX was denied access.
Fully-Qualified-User-Name = XXXXXXXX\XXXXX
NAS-IP-Address = 192.168.0.254
NAS-Identifier = <not present>
Called-Station-Identifier = <not present>
Calling-Station-Identifier
Client-Friendly-Name = PIXFIREWALL
Client-IP-Address = 192.168.0.254
NAS-Port-Type = <not present>
NAS-Port = 139
Proxy-Policy-Name = Time
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = <undetermined>
Authentication-Type = PAP
EAP-Type = <undetermined>
Reason-Code = 16
Reason = Authentication was not successful because an unknown user name or incorrect password was used.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2e 05 07 80 ...€
Can you post your PIX config as well please? Everything here looks fine other than the password failure. Perhaps it is being encrypted incorrectly or something?
ASKER
Thanks for your persistance!!!!
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 78lewVzVYCLh7BVs encrypted
passwd a.mMzDvcg4m1tOyh encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit tcp any interface outside eq smtp
access-list outside_in permit tcp any interface outside eq www
access-list outside_in permit tcp any interface outside eq https
access-list outside_in permit tcp any interface outside eq pop3
access-list VPN permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list ping_acl permit ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute retry 4
ip address inside 192.168.0.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.2.1-192.168.2.100
pdm location 192.168.0.44 255.255.255.255 inside
pdm location 192.168.0.100 255.255.255.255 inside
pdm location 82.110.35.82 255.255.255.255 outside
pdm location 192.168.2.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list VPN
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface smtp 192.168.0.150 smtp dns netmask 255.25
5.255.255 0 0
static (inside,outside) tcp interface pop3 192.168.0.150 pop3 dns netmask 255.25
5.255.255 0 0
static (inside,outside) tcp interface www 192.168.0.150 www dns netmask 255.255.
255.255 0 0
static (inside,outside) tcp interface https 192.168.0.150 https dns netmask 255.
255.255.255 0 0
access-group outside_in in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth max-failed-attempts 3
aaa-server partnerauth deadtime 10
aaa-server partnerauth (inside) host 192.168.0.150 pixfirewall timeout 5
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 1 ipsec-isakmp dynamic dynmap
crypto map mymap client authentication partnerauth
crypto map mymap interface outside
isakmp enable outside
isakmp enable inside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn3000 address-pool ippool
vpngroup vpn3000 dns-server 192.168.0.170
vpngroup vpn3000 wins-server 192.168.0.170
vpngroup vpn3000 default-domain XXXXXXX
vpngroup vpn3000 split-tunnel VPN
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 60
console timeout 0
dhcpd address 192.168.0.180-192.168.0.25 0 inside
dhcpd dns 192.168.0.170
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain XXXXXXX
dhcpd enable inside
username XXXXXXXXX password NY5Q.xo4bTPvu3gL encrypted privilege 15 {NOT SURE WHAT THIS IS HERE FOR}
terminal width 80
Cryptochecksum:e2f0384fa38 c9026f2db7 a7b70a9dd8 f
: end
[OK]
pixfirewall(config)#
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 78lewVzVYCLh7BVs encrypted
passwd a.mMzDvcg4m1tOyh encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit tcp any interface outside eq smtp
access-list outside_in permit tcp any interface outside eq www
access-list outside_in permit tcp any interface outside eq https
access-list outside_in permit tcp any interface outside eq pop3
access-list VPN permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list ping_acl permit ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute retry 4
ip address inside 192.168.0.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.2.1-192.168.2.100
pdm location 192.168.0.44 255.255.255.255 inside
pdm location 192.168.0.100 255.255.255.255 inside
pdm location 82.110.35.82 255.255.255.255 outside
pdm location 192.168.2.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list VPN
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface smtp 192.168.0.150 smtp dns netmask 255.25
5.255.255 0 0
static (inside,outside) tcp interface pop3 192.168.0.150 pop3 dns netmask 255.25
5.255.255 0 0
static (inside,outside) tcp interface www 192.168.0.150 www dns netmask 255.255.
255.255 0 0
static (inside,outside) tcp interface https 192.168.0.150 https dns netmask 255.
255.255.255 0 0
access-group outside_in in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth max-failed-attempts 3
aaa-server partnerauth deadtime 10
aaa-server partnerauth (inside) host 192.168.0.150 pixfirewall timeout 5
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 1 ipsec-isakmp dynamic dynmap
crypto map mymap client authentication partnerauth
crypto map mymap interface outside
isakmp enable outside
isakmp enable inside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn3000 address-pool ippool
vpngroup vpn3000 dns-server 192.168.0.170
vpngroup vpn3000 wins-server 192.168.0.170
vpngroup vpn3000 default-domain XXXXXXX
vpngroup vpn3000 split-tunnel VPN
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 60
console timeout 0
dhcpd address 192.168.0.180-192.168.0.25
dhcpd dns 192.168.0.170
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain XXXXXXX
dhcpd enable inside
username XXXXXXXXX password NY5Q.xo4bTPvu3gL encrypted privilege 15 {NOT SURE WHAT THIS IS HERE FOR}
terminal width 80
Cryptochecksum:e2f0384fa38
: end
[OK]
pixfirewall(config)#
ASKER
Just Some Screen Grabs of IAS settings
Doing my head in!!
ScreenShot001.jpg
ScreenShot002.jpg
ScreenShot003.jpg
Doing my head in!!
ScreenShot001.jpg
ScreenShot002.jpg
ScreenShot003.jpg
I doubt it would make enough of a difference to get the errors you are seeing but I would set the client type to Cisco (it should be in the drop down) as the vendors do all differ slightly in their implementation so IAS may be expecting a different data type...
ASKER
Tried with fingers crossed but no Joy!!!!
I am currentlty tring to set this up on a member server.
I set IAS up on the domain controller and pointed the firewqall to this and still get the same result...
I am currentlty tring to set this up on a member server.
I set IAS up on the domain controller and pointed the firewqall to this and still get the same result...
Have you authorised the server to use AD?
ASKER
oh yes
ScreenShot004.jpg
ScreenShot004.jpg
Erm,
have you rebooted? I'm running out of ideas...
have you rebooted? I'm running out of ideas...
ASKER
So Am I..... Will reboot, put a pencil behind my ear, and hop on one leg...
Fingers crossed here for you :o)
ASKER
No, No joy... wonder if i should try the other ear!!!
Don't know what to do now...
Stumped,,,, any ideas on any work arrounds or alternative methods
Cheers
Don't know what to do now...
Stumped,,,, any ideas on any work arrounds or alternative methods
Cheers
Take a backup of the PIX config, remove anything relating to AAA or VPN, save it, reload it and then reenter those bits one at a time. Back to basics.
ASKER
re-configured all of the Pix and still no joy.
Got to be something in the way i have configured IAS
Got to be something in the way i have configured IAS
ASKER
Get this in the Security event log, when a try and log in by VPN?
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 18/08/2008
Time: 14:55:55
User: NT AUTHORITY\SYSTEM
Computer: **********
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_P
Logon account: *********
Source Workstation:
Error Code: 0xC0000234
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
All the events you are pasting are saying it is an auth issue - generally a bad password but I don't believe you are getting it wrong every time. I assume you have reset it to something simple like password and tested?
ASKER
buggered if i know whats up with it....
Could i just set up a VPN through Windows server 2003 and get the Pix to forward directly to VPN Server???
If so , is this less secure than through the pix, what other issues might be considered?
Cheers
Could i just set up a VPN through Windows server 2003 and get the Pix to forward directly to VPN Server???
If so , is this less secure than through the pix, what other issues might be considered?
Cheers
Forwarding ports for a proper IPsec session will be a pain. PPTP would be easier. Still not a great solution though.
There are ways to test AAA from the ASA itself:
http://ciscotips.wordpress.com/2006/05/03/testing-remote-authentication-of-users-on-wireless-network/
There are ways to test AAA from the ASA itself:
http://ciscotips.wordpress.com/2006/05/03/testing-remote-authentication-of-users-on-wireless-network/
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
I actually sacked off this a number of months ago... but need to look at this again.. Will setup early this week and see if we can sort this out.
doregoborrego:
Just wondering if you have any further developments on this project??.
I'm still working on this at my end.
Just wondering if you have any further developments on this project??.
I'm still working on this at my end.
doregoborrego:
Just had a break though at my end, make sure you input the correct 'shared secret' key into the IAS server's configuration. The key is inputed on the screen where you input the friendly name, the IP address etc. Get back to me if you need more assistance. Hope you get yours working.
Just had a break though at my end, make sure you input the correct 'shared secret' key into the IAS server's configuration. The key is inputed on the screen where you input the friendly name, the IP address etc. Get back to me if you need more assistance. Hope you get yours working.
ASKER
Ok Peter
Got this pencilled in for early next week
Will give it a whirl
Fingers crossed!!
Got this pencilled in for early next week
Will give it a whirl
Fingers crossed!!
ASKER
god, treid this again now from home and still no joy....
Just would not authenticate when it asked for U/P - error 413...
I know its passing info on to the server because my smartphone is asking for my password, meaning I have been locked out!!!! -
Just would not authenticate when it asked for U/P - error 413...
I know its passing info on to the server because my smartphone is asking for my password, meaning I have been locked out!!!! -
ASKER
Still Holding out for a solution to this.
Some screen dumps from IAS log - Seems to authenticate then its rejected straight after!!!
Duplicate-File-Names022.jpg
Duplicate-File-Names021.jpg
Some screen dumps from IAS log - Seems to authenticate then its rejected straight after!!!
Duplicate-File-Names022.jpg
Duplicate-File-Names021.jpg
ASKER
think i Might have cracked it .... will test further tonight.
But peter ellis suggestion about checking that the: shared secret 'pixfirewall
Pix Command
aaa-server partnerauth (inside) host 192.168.0.xxx 'pixfirewall' timeout 5
and then in IAS settings
are the same ( this is not asking for the PRE-SHARED Key as I have foolishly discovered).
Also Neet to assign VPN POOL IP
as detailed here: https://www.experts-exchange.com/questions/23568428/CISCO-PIX-VPN-Tunnels-backend-to-an-IAS-server.html
ScreenShot025.jpg
But peter ellis suggestion about checking that the: shared secret 'pixfirewall
Pix Command
aaa-server partnerauth (inside) host 192.168.0.xxx 'pixfirewall' timeout 5
and then in IAS settings
are the same ( this is not asking for the PRE-SHARED Key as I have foolishly discovered).
Also Neet to assign VPN POOL IP
as detailed here: https://www.experts-exchange.com/questions/23568428/CISCO-PIX-VPN-Tunnels-backend-to-an-IAS-server.html
ScreenShot025.jpg
Did anyone find a solution to this?
Open IAS -> Remote Access Policies -> Right click on your policy and go to properties -> Edit profile -> Authentication tab -> Check all the boxes. Save and close.