Re: RADIUS (IAS) and Cisco Concentrator? (PDF Attachment)

What exactly should I have in the Remote Access Policy?

User gonzo was denied access.
Fully-Qualified-User-Name = domain/ou/IT/Gonzo
NAS-IP-Address = 192.168.129.251
NAS-Identifier = <not present>
Called-Station-Identifier = 82.100.100.73
Calling-Station-Identifier = 81.1.1.1
Client-Friendly-Name = Concentrator
Client-IP-Address = 192.168.129.251
NAS-Port-Type = Virtual
NAS-Port = 25371
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = VPN Access
Authentication-Type = PAP
EAP-Type = <undetermined>
Reason-Code = 66
Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy.


"Scott Lowe" <slowe@xxxxxxxxxxxxxxx> wrote in message news:nemoThu071207073043@xxxxxxxxxxxxxxxxxxxxxx
In article &lt;33301238-5B24-4C59-BFE9-07AF4F5A3624@xxxxxxxxxxxxx&gt;
"Gonzo"&lt;no@xxxxxxxxx&gt; wrote:

This is the IAS log:

192.168.129.251,domain\gonzo,07/12/2007,11:07:36,IAS,IAS-SERVER,5,2536

9,6,2,7,1,30,82.100.100.73,31,81.1.1.1,66,81.1.1.1,4,192.168.129.251,6
1,5,4108,192.168.129.251,4116,9,4128,Concentrator,4155,1,4154,Use
Windows authentication for all
users,4129,domain\gonzo,4127,1,4149,VPN Access,25,311 1 192.168.12.11
05/31/2007 13:07:17
45001,4130,domain.local/ou/IT/Gonzo,4136,1,4142,0
192.168.129.251,domain\gonzo,07/12/2007,11:07:36,IAS,IAS-SERVER,25,311
1 192.168.12.11 05/31/2007 13:07:17
45001,4130,domain.local/ou/IT/Gonzo,4149,VPN
Access,4127,1,4129,domain\gonzo,4154,Use Windows authentication for
all

users,4155,1,4128,Concentrator,4108,192.168.129.251,4116,9,4136,3,4142
,66
Concentrator log:

3 07/12/2007 11:11:46.510 SEV=3 AUTH/5 RPT=1220
81.1.1.1Authentication rejected: Reason = Unspecified
handle = 738, server = 192.168.12.11, user = gonzo, domain = domain

The Windows event logs are usually much easier to use for debugging.
You should have IAS entries in the System log, IIRC, for every time
a user attempts to connect. In those events, it will invariably tell
you, in plain English, why the remote access connection was denied
(such as "Unsupported authentication attempt" or something
similar).Have a look at those and tell us what you find.

Regards,
Scott Lowe
ePlus Technology, Inc.

--
I'm trying a new usenet client for Mac, Nemo OS X.
You can download it at http://www.malcom-mac.com/nemo


.

Relevant Pages

  • Re: Sporadic IAS Authentication problems
    ... * Some times however, a physical reboot of the client laptop is required, ... *The remote access policy in IAS is set to grant access to the group 'Domain ... Proxy-Policy-Name = Use Windows authentication for all users ...
    (microsoft.public.internet.radius)
  • Re: Sporadic IAS Authentication problems
    ... ,1,4154,Use Windows authentication for all ... enabled on the matching remote access policy. ... That client laptop was able to authenicate and use ...
    (microsoft.public.internet.radius)
  • Re: Sporadic IAS Authentication problems
    ... Windows authentication for all users,4129,DOMAIN1\sheshadrid,4149,Wireless ... enabled on the matching remote access policy. ... client laptop was able to authenicate and use the wireless network just fine ...
    (microsoft.public.internet.radius)
  • Re: Issues with IAS/802.1x authentication
    ... the Nas-Port-Type attribute correctly to the IAS server, ... > As soon as I modified the IAS Remote Access Policy and removed this policy ... >> server is throwing up a heap of authentication errors, ...
    (microsoft.public.internet.radius)
  • Issues with IAS/802.1x authentication
    ... Windows XP client - joined to the domain ... server is throwing up a heap of authentication errors, ... To allow remote access, enable remote access ... remote access permission for that remote access policy. ...
    (microsoft.public.internet.radius)
Loading