Re: RADIUS (IAS) and Cisco Concentrator? (PDF Attachment)

In IAS, go to the "Remote Access Policies" and double-click the policy you
created for your Concentrator. This will bring up the properties tab. Add
a policy condition and scroll to the bottom and select "Windows-Groups".
Click Add and then add your group "VPN Access" and click OK.

Next, click Edit Profile (button) and select the Authentication tab. Select
"Unencrypted authentication (PAP, SPAP)" and click OK.

At the bottom of the properties window, select "Grant remote access
permission" and then click OK.

Now try connecting.

Mike.


"Gonzo" <apollo13@xxxxxxxxxxxxxx> wrote in message
news:A79F7073-177E-45BC-AB0B-71093944F254@xxxxxxxxxxxxxxxx
I am struggling to find anything about PAP in that document. What part is
this in IAS?


"Michael D. Ober" <obermd.@.alum.mit.edu.nospam> wrote in message
news:%23VPRtAJxHHA.3696@xxxxxxxxxxxxxxxxxxxxxxx
Here's the first problem

Authentication-Type = PAP
Reason = The user attempted to use an authentication method that is not
enabled on the matching remote access policy.

In your policy, verify you have selected only the check boxes in the
Cisco document I sent yesterday. Cisco's document includes both PAP and
Plain Text since these are the two methods that all versions of IOS
support. Once you get this working, then you can turn off Plain Text and
try again. You also need to ensure the shared secret (IAS) and key
(Cisco) match in both spelling and case.

Mike.



"Gonzo" <apollo13@xxxxxxxxxxxxxx> wrote in message
news:82144E66-DD69-4540-993C-E1E5C8E855A1@xxxxxxxxxxxxxxxx
What exactly should I have in the Remote Access Policy?

User gonzo was denied access.
Fully-Qualified-User-Name = domain/ou/IT/Gonzo
NAS-IP-Address = 192.168.129.251
NAS-Identifier = <not present>
Called-Station-Identifier = 82.100.100.73
Calling-Station-Identifier = 81.1.1.1
Client-Friendly-Name = Concentrator
Client-IP-Address = 192.168.129.251
NAS-Port-Type = Virtual
NAS-Port = 25371
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = VPN Access
Authentication-Type = PAP
EAP-Type = <undetermined>
Reason-Code = 66
Reason = The user attempted to use an authentication method that is not
enabled on the matching remote access policy.


"Scott Lowe" <slowe@xxxxxxxxxxxxxxx> wrote in message
news:nemoThu071207073043@xxxxxxxxxxxxxxxxxxxxxx
In article &lt;33301238-5B24-4C59-BFE9-07AF4F5A3624@xxxxxxxxxxxxx&gt;
"Gonzo"&lt;no@xxxxxxxxx&gt; wrote:

This is the IAS log:

192.168.129.251,domain\gonzo,07/12/2007,11:07:36,IAS,IAS-SERVER,5,2536

9,6,2,7,1,30,82.100.100.73,31,81.1.1.1,66,81.1.1.1,4,192.168.129.251,6
1,5,4108,192.168.129.251,4116,9,4128,Concentrator,4155,1,4154,Use
Windows authentication for all
users,4129,domain\gonzo,4127,1,4149,VPN Access,25,311 1 192.168.12.11
05/31/2007 13:07:17
45001,4130,domain.local/ou/IT/Gonzo,4136,1,4142,0
192.168.129.251,domain\gonzo,07/12/2007,11:07:36,IAS,IAS-SERVER,25,311
1 192.168.12.11 05/31/2007 13:07:17
45001,4130,domain.local/ou/IT/Gonzo,4149,VPN
Access,4127,1,4129,domain\gonzo,4154,Use Windows authentication for
all

users,4155,1,4128,Concentrator,4108,192.168.129.251,4116,9,4136,3,4142
,66
Concentrator log:

3 07/12/2007 11:11:46.510 SEV=3 AUTH/5 RPT=1220
81.1.1.1Authentication rejected: Reason = Unspecified
handle = 738, server = 192.168.12.11, user = gonzo, domain = domain

The Windows event logs are usually much easier to use for debugging.
You should have IAS entries in the System log, IIRC, for every time
a user attempts to connect. In those events, it will invariably tell
you, in plain English, why the remote access connection was denied
(such as "Unsupported authentication attempt" or something
similar).Have a look at those and tell us what you find.

Regards,
Scott Lowe
ePlus Technology, Inc.

--
I'm trying a new usenet client for Mac, Nemo OS X.
You can download it at http://www.malcom-mac.com/nemo







.