Re: RADIUS (IAS) and Cisco Concentrator? (PDF Attachment)

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

I am struggling to find anything about PAP in that document. What part is this in IAS?


"Michael D. Ober" <obermd.@.alum.mit.edu.nospam> wrote in message news:%23VPRtAJxHHA.3696@xxxxxxxxxxxxxxxxxxxxxxx
Here's the first problem

Authentication-Type = PAP
Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy.

In your policy, verify you have selected only the check boxes in the Cisco document I sent yesterday. Cisco's document includes both PAP and Plain Text since these are the two methods that all versions of IOS support. Once you get this working, then you can turn off Plain Text and try again. You also need to ensure the shared secret (IAS) and key (Cisco) match in both spelling and case.

Mike.



"Gonzo" <apollo13@xxxxxxxxxxxxxx> wrote in message news:82144E66-DD69-4540-993C-E1E5C8E855A1@xxxxxxxxxxxxxxxx
What exactly should I have in the Remote Access Policy?

User gonzo was denied access.
Fully-Qualified-User-Name = domain/ou/IT/Gonzo
NAS-IP-Address = 192.168.129.251
NAS-Identifier = <not present>
Called-Station-Identifier = 82.100.100.73
Calling-Station-Identifier = 81.1.1.1
Client-Friendly-Name = Concentrator
Client-IP-Address = 192.168.129.251
NAS-Port-Type = Virtual
NAS-Port = 25371
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = VPN Access
Authentication-Type = PAP
EAP-Type = <undetermined>
Reason-Code = 66
Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy.


"Scott Lowe" <slowe@xxxxxxxxxxxxxxx> wrote in message news:nemoThu071207073043@xxxxxxxxxxxxxxxxxxxxxx
In article &lt;33301238-5B24-4C59-BFE9-07AF4F5A3624@xxxxxxxxxxxxx&gt;
"Gonzo"&lt;no@xxxxxxxxx&gt; wrote:

This is the IAS log:

192.168.129.251,domain\gonzo,07/12/2007,11:07:36,IAS,IAS-SERVER,5,2536

9,6,2,7,1,30,82.100.100.73,31,81.1.1.1,66,81.1.1.1,4,192.168.129.251,6
1,5,4108,192.168.129.251,4116,9,4128,Concentrator,4155,1,4154,Use
Windows authentication for all
users,4129,domain\gonzo,4127,1,4149,VPN Access,25,311 1 192.168.12.11
05/31/2007 13:07:17
45001,4130,domain.local/ou/IT/Gonzo,4136,1,4142,0
192.168.129.251,domain\gonzo,07/12/2007,11:07:36,IAS,IAS-SERVER,25,311
1 192.168.12.11 05/31/2007 13:07:17
45001,4130,domain.local/ou/IT/Gonzo,4149,VPN
Access,4127,1,4129,domain\gonzo,4154,Use Windows authentication for
all

users,4155,1,4128,Concentrator,4108,192.168.129.251,4116,9,4136,3,4142
,66
Concentrator log:

3 07/12/2007 11:11:46.510 SEV=3 AUTH/5 RPT=1220
81.1.1.1Authentication rejected: Reason = Unspecified
handle = 738, server = 192.168.12.11, user = gonzo, domain = domain

The Windows event logs are usually much easier to use for debugging.
You should have IAS entries in the System log, IIRC, for every time
a user attempts to connect. In those events, it will invariably tell
you, in plain English, why the remote access connection was denied
(such as "Unsupported authentication attempt" or something
similar).Have a look at those and tell us what you find.

Regards,
Scott Lowe
ePlus Technology, Inc.

--
I'm trying a new usenet client for Mac, Nemo OS X.
You can download it at http://www.malcom-mac.com/nemo





.

Relevant Pages

  • Re: RADIUS (IAS) and Cisco Concentrator? (PDF Attachment)
    ... Reason = The user attempted to use an authentication method that is not ... enabled on the matching remote access policy. ...
    (microsoft.public.windows.server.active_directory)
  • Re: WDS Authentication reason code 18
    ... copy them to this news group and someone will take a look. ... > Computer: HIUSSOFPS01 ... > Reason = The specified authentication type is not supported on this ... then I get a reason code 66 error. ...
    (microsoft.public.internet.radius)
  • Re: Utter madness!
    ... Lots of people run SQL on other boxes. ... certain authentication scenarios are harder in that set up. ... Another reason is that you can avoid the whole Kerberos delegation ... To do the service account approach, ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Please explain OpenSSH double authentication lack
    ... reason why OpenSSH doesn't permit to require two authentication ... mechanisms (PubKey _and_ passowrd), as Tectia, Van Dyke, etc... ... authentication should be more than enough. ... to take a look in home directories for all the passphraseless keys: ...
    (comp.security.ssh)
  • Re: Server 2003 IAS and VPN problem (not ISA server)
    ... "Reason = Authentication was not successful because an unknown user name or incorrect password was used." ...
    (microsoft.public.isa.vpn)