Re: IAS to authenticate CISCO VPN traffic
From: buhlig (buhlig_at_discussions.microsoft.com)
Date: 01/24/05
- Next message: Mudit Goel [MSFT]: "Re: RADIUS does it really work?"
- Previous message: Lars M. Hansen: "Re: RADIUS does it really work?"
- In reply to: Mudit Goel [MSFT]: "Re: IAS to authenticate CISCO VPN traffic"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 24 Jan 2005 10:19:03 -0800
I ran the netsh ras set tracing iassam enabled, and logged in with bogus
information and normal iniformation but nothing populated the log file...
in the ias log file i still see the normal log details as follows..
192.168.100.1,bogusinfo,01/24/2005,11:52:45,IAS,VPIFS1,31,<removed>,61,5,4,192.168.100.1,4108,192.168.100.1,4116,9,4128,CiscoRouter,4155,0,25,311
1 192.168.100.6 01/04/2005 15:20:25 231,4136,1,4142,0
192.168.100.1,bogusinfo,01/24/2005,11:52:45,IAS,VPIFS1,25,311 1
192.168.100.6 01/04/2005 15:20:25 231,4154,Use Windows authentication for all
users,4155,0,4128,CiscoRouter,4116,9,4108,192.168.100.1,4136,2,4142,0
I will follow up with any information that I get in the iassam.log file..
Thanks,
Ben
"Mudit Goel [MSFT]" wrote:
> Can you please attach the snippet of iassam.log where it shows it
> communicating with the client? You can enable tracing by typing:
> netsh ras set tracing iassam enabled
> on a console window.
>
> Thanks
> Mudit
>
> --
> __________________________________________________________
> This posting is provided "AS IS" with no warranties, and confers no rights.
> __________________________________________________________
>
>
> "buhlig" <buhlig@discussions.microsoft.com> wrote in message
> news:53D5C58F-2957-4067-979F-A439D84A8B6A@microsoft.com...
> > I just closed a TAC with CISCO about this issue and they are pointing to
> the
> > IAS server as the problem... I tend to have to agree with them due to the
> > nature of this issue.
> >
> > I have a cisco router configured with a group VPN key, and a IAS server
> > configured to handle authentication. I created a client within IAS called
> > CiscoRouter wuth the correct shared secret and I have set the Client
> Vendor
> > as both Cisco and I have tried Radius Standard. I have checked the box
> about
> > Request must contain Message Authenticator attribute. (I will mention the
> > oddities of this further down).
> >
> > I have a policy in place called VPNAccessPolicy which policy conditions
> are
> > NAS-Port-Type matches Virtual(VPN) AND Windows-Groups Matches
> > domainname\Groupname.
> > Within this profile Under authentication and encryption I have tried
> > multiple settings of the check boxes.
> >
> > Here is what happens I execute the Cisco IPSEC client, it passes the
> shared
> > secret, then it prompts for authentication. I enter in a bogus username
> and
> > password... it authenticates me.... I can even log in as Username: T
> > password: T and it lets me in.. I assure you that this account is not set
> up
> > on my network.... when I go to the logs to see what is going on, the IAS
> > logs shows whos logging on when, which policy they are using etc... now
> this
> > is all great.. it tells me the router and the IAS server ARE
> communicating..
> > but dosent explain why Im only getting the logging and not the
> > authentication.
> >
> > now for the odd part i mentioned earlier.. if I enable the Request must
> > contain the Message Authenticator attribue in the radius client, I am
> unable
> > to authenticate with bogus or valid information....
> >
> > Any help would be great on this because after a few weeks of
> troubleshooting
> > I am about to lose my mind....
> >
> > TIA
> >
> > Ben
> >
>
>
>
- Next message: Mudit Goel [MSFT]: "Re: RADIUS does it really work?"
- Previous message: Lars M. Hansen: "Re: RADIUS does it really work?"
- In reply to: Mudit Goel [MSFT]: "Re: IAS to authenticate CISCO VPN traffic"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
