IAS to authenticate CISCO VPN traffic

From: buhlig (buhlig_at_discussions.microsoft.com)
Date: 01/14/05 

Date: Fri, 14 Jan 2005 11:37:07 -0800

I just closed a TAC with CISCO about this issue and they are pointing to the
IAS server as the problem... I tend to have to agree with them due to the
nature of this issue.

I have a cisco router configured with a group VPN key, and a IAS server
configured to handle authentication. I created a client within IAS called
CiscoRouter wuth the correct shared secret and I have set the Client Vendor
as both Cisco and I have tried Radius Standard. I have checked the box about
Request must contain Message Authenticator attribute. (I will mention the
oddities of this further down).

I have a policy in place called VPNAccessPolicy which policy conditions are
NAS-Port-Type matches Virtual(VPN) AND Windows-Groups Matches
domainname\Groupname.
Within this profile Under authentication and encryption I have tried
multiple settings of the check boxes.

Here is what happens I execute the Cisco IPSEC client, it passes the shared
secret, then it prompts for authentication. I enter in a bogus username and
password... it authenticates me.... I can even log in as Username: T
password: T and it lets me in.. I assure you that this account is not set up
on my network.... when I go to the logs to see what is going on, the IAS
logs shows whos logging on when, which policy they are using etc... now this
is all great.. it tells me the router and the IAS server ARE communicating..
but dosent explain why Im only getting the logging and not the
authentication.

now for the odd part i mentioned earlier.. if I enable the Request must
contain the Message Authenticator attribue in the radius client, I am unable
to authenticate with bogus or valid information....

Any help would be great on this because after a few weeks of troubleshooting
I am about to lose my mind....

TIA

Ben

Relevant Pages

  • Re: 802.1x Wired Auth and Authentication
    ... So I'm configured for EAP-TLS auth. ... I am getting errors on both the IAS server and Client. ... Wired 802.1X Authentication failed. ...
    (microsoft.public.internet.radius)
  • Re: IAS to authenticate CISCO VPN traffic
    ... > I just closed a TAC with CISCO about this issue and they are pointing to ... > IAS server as the problem... ... I created a client within IAS called ... > Within this profile Under authentication and encryption I have tried ...
    (microsoft.public.internet.radius)
  • Re: Issues with IAS and Verisign Cert
    ... The client authenticates and I verify ... > that through Event Viewer in the IAS server and the client is able to ... >> Sounds like they might not have enabled the right authentication ... >> rights. ...
    (microsoft.public.internet.radius)
  • Re: Cisco AAA via Win2k3 IAS
    ... >I should have included the logs from the IAS server. ... > 1,4154,Use Windows authentication for all ... >>users connecting to my Cisco Easy VPN Server. ... >>The Cisco device forwards the requests to the IAS server ...
    (microsoft.public.internet.radius)
  • EAP-TLS Wireless Authentication
    ... I am having a problem with a Cisco 350 Wireless Client Adapter, ... During authentication process, I see where the Radius server requests the ... client certificate as part of the EAP-TLS authentication process. ...
    (microsoft.public.windowsxp.security_admin)
Loading