Re: RADIUS (IAS) and Cisco Concentrator? (PDF Attachment)

Tech-Archive recommends: Fix windows errors by optimizing your registry

Great, so I simple copy the settings to another IAS server and register in AD then the new one will be a failover?

I suppose I have to add the 2nd IAS to the concentrator?

Also you said I couldn't have more that one policy and associate it with another RADIUS client (kind of separate them), I have seen the options NAS-IP-Address and Client-IP-Address, can these options be used to tell a RADIUS client what policy to use?

So Wireless clients can you this policy VPN users use this policy...etc

Thanks


"Michael D. Ober" <obermd.@.alum.mit.edu.nospam> wrote in message news:e5mX$1UxHHA.4500@xxxxxxxxxxxxxxxxxxxxxxx

"Gonzo" <andrewwhite@xxxxxxxxxxxxxxxxxxxxxx> wrote in message news:OGwZ9zMxHHA.736@xxxxxxxxxxxxxxxxxxxxxxx
Would this be done on the concentrator "ensure the RADIUS ports are blocked on the Concentrator's external facing interfaces"?

Correct. Since your Cconcentrator is handling the VPN endpoint, it's the only device that needs to talk to the RADIUS (IAS) server.


Take it it's not possible to do bonded authentication?

I'm not sure what this is, but if it refers to a secure authentication channel, no there is not. Registering IAS with AD effectively tells AD not to accept External Authentication requests from other sources. You can have multiple IAS servers registered at the same time, so you can tell your Concentrator to follow a chain of servers if the first one doesn't respond.


Thanks


"Michael D. Ober" <obermd.@.alum.mit.edu.nospam> wrote in message news:%23ex3bgMxHHA.4352@xxxxxxxxxxxxxxxxxxxxxxx
Great - now for your questions -

1) The Cisco VPN/Concentrator handles the tunnel and encryption. Authentication is passed to IAS in plain text, so you need to ensure the RADIUS ports are blocked on the Concentrator's external facing interfaces.

2) No - see #3 for how to fix this.

3) Start the IAS MMC console. Right click the "Internet Authentication Service" and select "Register in Active Directory". This does two things for you - it forces IAS to use AD for authentication and it blocks non-registered Radius servers from authenticating. When you do this, make sure that your "VPN Access" group is a domain or enterprise group, or it will not be checked by Active Directory.

Mike.


"Gonzo" <andrewwhite@xxxxxxxxxxxxxxxxxxxxxx> wrote in message news:OEXs30LxHHA.4464@xxxxxxxxxxxxxxxxxxxxxxx
Yes! that worked! Just a couple of questions:

1.) I take it all the security/encryption is achieved via the Cisco VPN client and the authentication by IAS?
2.) I take it's a must for users to always put the doman name at the start? (domain\username)
3.) Can IAS be locked down even further, for example there AD computer has to be in the RADIUS group, like bonded authentication?

Many thanks

"Michael D. Ober" <obermd.@.alum.mit.edu.nospam> wrote in message news:Oz3GaKKxHHA.4668@xxxxxxxxxxxxxxxxxxxxxxx
In IAS, go to the "Remote Access Policies" and double-click the policy you created for your Concentrator. This will bring up the properties tab. Add a policy condition and scroll to the bottom and select "Windows-Groups". Click Add and then add your group "VPN Access" and click OK.

Next, click Edit Profile (button) and select the Authentication tab. Select "Unencrypted authentication (PAP, SPAP)" and click OK.

At the bottom of the properties window, select "Grant remote access permission" and then click OK.

Now try connecting.

Mike.


"Gonzo" <apollo13@xxxxxxxxxxxxxx> wrote in message news:A79F7073-177E-45BC-AB0B-71093944F254@xxxxxxxxxxxxxxxx
I am struggling to find anything about PAP in that document. What part is this in IAS?


"Michael D. Ober" <obermd.@.alum.mit.edu.nospam> wrote in message news:%23VPRtAJxHHA.3696@xxxxxxxxxxxxxxxxxxxxxxx
Here's the first problem

Authentication-Type = PAP
Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy.

In your policy, verify you have selected only the check boxes in the Cisco document I sent yesterday. Cisco's document includes both PAP and Plain Text since these are the two methods that all versions of IOS support. Once you get this working, then you can turn off Plain Text and try again. You also need to ensure the shared secret (IAS) and key (Cisco) match in both spelling and case.

Mike.



"Gonzo" <apollo13@xxxxxxxxxxxxxx> wrote in message news:82144E66-DD69-4540-993C-E1E5C8E855A1@xxxxxxxxxxxxxxxx
What exactly should I have in the Remote Access Policy?

User gonzo was denied access.
Fully-Qualified-User-Name = domain/ou/IT/Gonzo
NAS-IP-Address = 192.168.129.251
NAS-Identifier = <not present>
Called-Station-Identifier = 82.100.100.73
Calling-Station-Identifier = 81.1.1.1
Client-Friendly-Name = Concentrator
Client-IP-Address = 192.168.129.251
NAS-Port-Type = Virtual
NAS-Port = 25371
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = VPN Access
Authentication-Type = PAP
EAP-Type = <undetermined>
Reason-Code = 66
Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy.


"Scott Lowe" <slowe@xxxxxxxxxxxxxxx> wrote in message news:nemoThu071207073043@xxxxxxxxxxxxxxxxxxxxxx
In article &lt;33301238-5B24-4C59-BFE9-07AF4F5A3624@xxxxxxxxxxxxx&gt;
"Gonzo"&lt;no@xxxxxxxxx&gt; wrote:

This is the IAS log:

192.168.129.251,domain\gonzo,07/12/2007,11:07:36,IAS,IAS-SERVER,5,2536

9,6,2,7,1,30,82.100.100.73,31,81.1.1.1,66,81.1.1.1,4,192.168.129.251,6

1,5,4108,192.168.129.251,4116,9,4128,Concentrator,4155,1,4154,Use
Windows authentication for all
users,4129,domain\gonzo,4127,1,4149,VPN Access,25,311 1 192.168.12.11
05/31/2007 13:07:17
45001,4130,domain.local/ou/IT/Gonzo,4136,1,4142,0
192.168.129.251,domain\gonzo,07/12/2007,11:07:36,IAS,IAS-SERVER,25,311
1 192.168.12.11 05/31/2007 13:07:17
45001,4130,domain.local/ou/IT/Gonzo,4149,VPN
Access,4127,1,4129,domain\gonzo,4154,Use Windows authentication for
all

users,4155,1,4128,Concentrator,4108,192.168.129.251,4116,9,4136,3,4142
,66
Concentrator log:

3 07/12/2007 11:11:46.510 SEV=3 AUTH/5 RPT=1220
81.1.1.1Authentication rejected: Reason = Unspecified
handle = 738, server = 192.168.12.11, user = gonzo, domain = domain

The Windows event logs are usually much easier to use for debugging.
You should have IAS entries in the System log, IIRC, for every time
a user attempts to connect. In those events, it will invariably tell
you, in plain English, why the remote access connection was denied
(such as "Unsupported authentication attempt" or something
similar).Have a look at those and tell us what you find.

Regards,
Scott Lowe
ePlus Technology, Inc.

--
I'm trying a new usenet client for Mac, Nemo OS X.
You can download it at http://www.malcom-mac.com/nemo
















.

Quantcast