RE: Secure Windows Domain auth for Cisco 2691 to Win2k or NT 4 Sever via Radius

• Previous message: Adam Newhard: "Re: Network scanning: Continued (newbie)"
• In reply to: Alfred.Diggs_at_STIS.com: "Secure Windows Domain auth for Cisco 2691 to Win2k or NT 4 Sever via Radius"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <Alfred.Diggs@STIS.com>, <security-basics@securityfocus.com>
Date: Mon, 18 Aug 2003 11:11:20 -0500

Problem #2: I think you should be able to incorporate a dynamic map (for
the dynamic VPN tunnels) into the static map you have set up for your static
VPN tunnels.

Read:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_configuratio
n_guide_chapter09186a00800d981f.html#28511

-----Original Message-----
From: Alfred.Diggs@STIS.com [mailto:Alfred.Diggs@STIS.com]
Sent: Saturday, August 16, 2003 8:20 PM
To: security-basics@securityfocus.com
Subject: Secure Windows Domain auth for Cisco 2691 to Win2k or NT 4
Sever via Radius

Thanks in advance for any and all help in this situation

I have a Cisco 2691 vpn device that has 3 static vpn tunnels to some of our
vendors. And since my company ponyied up and bought the 7k device they
expect me to use it for everything. I have a remote office in India
(developers=24/7 access and big bandwidth)and they need access to our
network itself and not Terminal services. Anyway i setup a dynamic vpn pool
for use with the Cisco vpn win32 client which works great for authicating to
the vpn device, and i can ping everything on the network. The problem is
that i cannot connect to anything because Windows doesnt care that Cisco
authicated them,It requires domain level authithenication for all resouces.
So i setup a radius server on windows 2k member server on a WinNT domain(I
know, but there are bugetary issues with the full migration). Anywho it
almost seemed as it i was ready to authicate but i kept screwin somthing up.
Here is a list of my errors.

usernames tried
admin1
stelco\admin1
\stelco\admin1
\\stelco\admin1

I created both local and domain accounts for that user name

I did play with the sharekey between Cisco and the radius server ON:OFF

I also tried this on our WinNT BDC and got basically the same results

enviro = win2k pro useing Cisco vpn client over dialup

OK here are the event logs from the win2k server i deleted the nt logs due
to utter disquest

1: User admin1 was denied access.
 Fully-Qualified-User-Name = stelco\admin1
 NAS-IP-Address = 0.0.0.0
 NAS-Identifier = <not present>
 Called-Station-Identifier = <not present>
 Calling-Station-Identifier = 66.217.207.114
 Client-Friendly-Name = 2691cisco
 Client-IP-Address = 192.168.10.24
 NAS-Port-Type = Virtual
 NAS-Port = 500
 Policy-Name = <undetermined>
 Authentication-Type = PAP
 EAP-Type = <undetermined>
 Reason-Code = 8
 Reason = The specified user does not exist.

2: A signature attribute is required in Access-Requests from client
2691cisco.

3: Access request for user \\stelco\admin1 was discarded.
 Fully-Qualified-User-Name = \\stelco\admin1
 NAS-IP-Address = 0.0.0.0
 NAS-Identifier = <not present>
 Called-Station-Identifier = <not present>
 Calling-Station-Identifier = 66.217.207.114
 Client-Friendly-Name = 2691cisco
 Client-IP-Address = 192.168.10.24
 NAS-Port-Type = Virtual
 NAS-Port = 500
 Reason-Code = 6
 Reason = The server is unavailable.

4:Access request for user \stelco\admin1 was discarded.
 Fully-Qualified-User-Name = \stelco\admin1
 NAS-IP-Address = 0.0.0.0
 NAS-Identifier = <not present>
 Called-Station-Identifier = <not present>
 Calling-Station-Identifier = 66.217.207.114
 Client-Friendly-Name = 2691cisco
 Client-IP-Address = 192.168.10.24
 NAS-Port-Type = Virtual
 NAS-Port = 500
 Reason-Code = 6
 Reason = The server is unavailable.

Problem #2

Is more of a technical question than a cry for help. On this same VPN Device
as i have mentioned i have 3 static vpn tunnels useing crypto map rookie
which are working fine. When i try to set the dynamic vpn tunnel (for the
clients) to use the same crypto map my tunnels go down.
I know there is almost no limit to the number of virtual tunnels you can
have on a device but you are limited to only 1 crypto map per interface. So
my question is, is there anyway to get the static and dynamic tunnels to
play nice with teh same crypto map or do somthing funky like apply the
second crypto map on the inside interface?

15 hours today so im really tired (stupid anti-virus rollout)

Thanks again for any and all help

Alfred Diggs

---------------------------------------------------------------------------
----------------------------------------------------------------------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------

• Previous message: Adam Newhard: "Re: Network scanning: Continued (newbie)"
• In reply to: Alfred.Diggs_at_STIS.com: "Secure Windows Domain auth for Cisco 2691 to Win2k or NT 4 Sever via Radius"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]