• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2265
  • Last Modified:

Cisco AnyConnect / IAS Radius problem

I have finally gotten my ASA 5520 authenticating to my 2003 IAS Radius server with MS-CHAPv2, and according to the event I have attached, it is granting access.  I actually get two events in a row like this every time.  I have a Remote Access Policy that grants access to everybody in a certain group, and I have my user account set to "Control access through Remote Access Policy" (and of course, I have put myself in that group).  So, according to the event as shown in the attachment, it looks like it is working.

The problem is that on my client, when I try to log in (and I get the attached event on the server), it sits there for a little bit, then I get a "Connection attempt has failed (timeout)."

Is there a part of the setup for this kind of authentication that I am missing?
Event Type:        Information
Event Source:    IAS
Event Category:                None
Event ID:              1
Date:                     11/21/2010
Time:                     10:11:36 PM
User:                     N/A
Computer:          GMSDC1
Description:
User bbeachy was granted access.
Fully-Qualified-User-Name = goshenschools.org/Goshen Schools/OTIS/Staff/Branden Beachy
NAS-IP-Address = 10.101.1.10
NAS-Identifier = <not present> 
 Client-Friendly-Name = 10.101.1.10
Client-IP-Address = 10.101.1.10
Calling-Station-Identifier = 184.2.157.87
NAS-Port-Type = Virtual
NAS-Port = 3743744
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows 
 Authentication-Server = <undetermined> 
 Policy-Name = VPN
Authentication-Type = MS-CHAPv2
EAP-Type = <undetermined>

Open in new window

0
brandenb
Asked:
brandenb
  • 4
  • 3
1 Solution
 
kellemannCommented:
You can do a test directly on the firewall to determine is there is indeed an authentication problem. The command is:
test aaa-server authentication <AAA groupname> host <ip for server GMSDC1> username bbeachy
0
 
brandenbAuthor Commented:
When I test it that way, it asks me for my password, and after I give that, it waits 12 seconds, then says "ERROR: Authentication Server not responding: No error"
I look on the IAS server, and again I get the "user bbeachy was granted access" event.

So, it's like the IAS server is getting the request and authenticating it, but not getting the message back to the ASA...
0
 
kellemannCommented:
Ok, sounds like the ASA hands off the data to the IAS in a correct manner, but the answer somehow get garbled or lost. Could you post the client configuration on the IAS?
0
Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
brandenbAuthor Commented:
Is this what you wanted to see?  I have tried setting the Client-Vendor to both Radius Standard as well as Cisco, and it makes no difference either way.
error.JPG
0
 
brandenbAuthor Commented:
Just to reiterate, the IAS server authentication is working perfectly.  If I set my user account to either Allow, or Control through Policy, the event log shows that I AM granted access, and if I change my account to "deny", then the event log shows that access was denied.

So, the only problem is that that information isn't getting back to the ASA - it times out saying the Authentication Server is not responding.
0
 
kellemannCommented:
I once encountered a strange problem. Don't know if it applies here, but worth trying.
The ASA refused to authenticate users, until the default vpn group (DefaultWEBVPNGroup) was configured to use the same AAA group as the "real" group.
If that doesn't work, please post the configuration of the remote access policy in IAS, specifically the part regarding authentication (Properties on policy -> Edit profile -> Authentication tab)
0
 
brandenbAuthor Commented:
Well, I'm not totally sure what made it start working, but after playing with all the settings, and restarting the server, now it works.

Thanks for your help!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now