Cisco PIX (NO VPN) and IAS

From: Eric R (eromero_at_hotmail.com)
Date: 07/09/04

  • Next message: Stuart Eddleston: "Incorrect Fully Qualified User Name" 
    Date: Fri, 9 Jul 2004 15:20:10 -0500

    Hello,

    I would like to enable AAA on our Cisco Pix 520 and use our IAS server to
    authenticate SSH connections to the PIX. I already use the IAS server for
    authentication for 2 other devices (a modem pool and a Nortel Contivity
    VPN).

    I set up IAS for the PIX client and configured the PIX to use RADIUS for SSH
    access. When I SSH to the pix I get the following message on the IAS Event
    Log

    Event Type: Warning
    Event Source: IAS
    Event Category: None
    Event ID: 2
    Date: 7/9/2004
    Time: 2:54:18 PM
    User: N/A
    Computer: NS2
    Description:
    User EROMERO was denied access.
     Fully-Qualified-User-Name = METRO-DOMAIN\EROMERO
     NAS-IP-Address = 129.1.20.57
     NAS-Identifier = <not present>
     Called-Station-Identifier = <not present>
     Calling-Station-Identifier = <not present>
     Client-Friendly-Name = PIX
     Client-IP-Address = 129.1.20.57
     NAS-Port-Type = <not present>
     NAS-Port = 82
     Policy-Name = <undetermined>
     Authentication-Type = PAP
     EAP-Type = <undetermined>
     Reason-Code = 16
     Reason = There was an authentication failure because of an unknown user
    name or a bad password.

    Is there anything special I have to do on the IAS server?

  • Next message: Stuart Eddleston: "Incorrect Fully Qualified User Name"

    Relevant Pages

    • Re: Cisco PIX with SSH enabled on external port for maintenance
      ... I took the original poster as wanting to enable SSH to the PIX itself ... - PIX SSH does not support public key authentication. ... VPN fixes this by ...
      (Security-Basics)
    • Re: ssh on pix 506e - login name
      ... Configuring Local SSH (No AAA Authentication) ... Use the following commands to configure local SSH on the PIX: ...
      (comp.dcom.sys.cisco)
    • Cisco PIX / CS ACS: Downloadable RADIUS ACLs vulnerability
      ... When an administrator creates an ACL on the Cisco Secure Access Control ... The protocol used by the PIX to download the ACL works as follows: ... PIX sends Radius Access-Request to CS ACS to authenticate the user (the ... configured to use the very same CS ACS server for login authentication ...
      (comp.dcom.sys.cisco)
    • Re: 802.1x Wired Auth and Authentication
      ... So I'm configured for EAP-TLS auth. ... I am getting errors on both the IAS server and Client. ... Wired 802.1X Authentication failed. ...
      (microsoft.public.internet.radius)
    • IAS to authenticate CISCO VPN traffic
      ... I just closed a TAC with CISCO about this issue and they are pointing to the ... I have a cisco router configured with a group VPN key, and a IAS server ... CiscoRouter wuth the correct shared secret and I have set the Client Vendor ... Within this profile Under authentication and encryption I have tried ...
      (microsoft.public.internet.radius)