Re: IAS Server and Cisco VPN Concentrator
- From: "msadexchman" <msadexchman@xxxxxxxxx>
- Date: Mon, 30 Jan 2006 10:00:34 -0500
I followed that same cisco article with the exact steps. This is the error
message I'm getting in the system log of the IAS server. The thing that
stands out is that its stating the authentication type is PAP? That is not
checked off on the 3020? Also, on the IAS server in the remote access
policy (not the default one), the only authentication method is MSCHAPv2
(per the Cisco instructions)
User "username" was denied access.
Fully-Qualified-User-Name = domain.com/Information Services/username
NAS-IP-Address = 192.168.x.x
NAS-Identifier = <not present>
Called-Station-Identifier = <not present>
Calling-Station-Identifier = <not present>
Client-Friendly-Name = Cisco 3020 VPN Concentrator
Client-IP-Address = 192.168.x.x
NAS-Port-Type = Virtual
NAS-Port = <not present>
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Connections to other access servers
Authentication-Type = PAP
EAP-Type = <undetermined>
Reason-Code = 66
Reason = The user attempted to use an authentication method that is not
enabled on the matching remote access policy.
Regards,
"S. Pidgorny <MVP>" <slavickp@xxxxxxxxx> wrote in message
news:e5E4XY6IGHA.1876@xxxxxxxxxxxxxxxxxxxxxxx
> If you want to integrate with AD for authentication and use two-factor
> authentication at the same time, EAP with smart card is the only
> authentication protocol for you (although you can do cert authentication
> without RADIUS with Cisco VPN). I'm afraid that Cisco's Kerberos
> authentication (if works) only supports password authentication.
>
> I have heard of bugs in Cisco that prevent using anything but PAP. Make
> sure you're running the latest stable IOS and debug authentication on both
> Windows server (IAS events are very nformative) and Cisco. This helps
> troubleshooting.
>
> As for security - Kerberos is considered better than PAP but the whole
> traffic flow between the client and AD, and other requirements as second
> factor, should be taken in consideration. I find Cisco particularly hard
> to deal with because they push for their RADIUS server and aren't that
> good in terms of integratin with AD.
>
> --
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -= F1 is the key =-
>
> "msadexchman" <msadexchman@xxxxxxxxx> wrote in message
> news:es1kat2IGHA.216@xxxxxxxxxxxxxxxxxxxxxxx
>> Here is a follow up post to where I stand.......please help...
>>
>> Hello,
>>
>> We're testing out a 3020 Concentrator from Cisco for our VPN access to
>> our users and business partners. We're trying to determine which is the
>> best route to go with respect to Authentication, RADIUS or
>> Kerberos/Active Directory. We've set up Microsoft IAS (RADIUS) server on
>> one of our internal AD DC's and added the 3020 as a RADIUS client. The
>> test group I created on the 3020 is set up to user RADIUS under the
>> Authentication + Authorization tabs in the "Remote Access" page. We
>> added the MS IAS RADIUS server with the shared secret key into the 3020.
>>
>> I can't get it to work, but my real question is, which one is more
>> secure, using RADIUS or using Kerberos/AD for authentication?
>> Essentially, we want to set up groups on the 3020 for our business
>> partners and allow for 2 factor authentication with our Active Directory.
>> We would really like to go all the way and do Authorization and
>> Accounting as well. Is RADIUS the way to go, or Kerberos/AD?
>>
>> During our testing, we're seeing error messages in the system log for the
>> IAS server stating the 3020 client is using PAP to authenticate and we've
>> removed all authentication modes except MSCHAP v2.
>>
>> Can't get anything to work. Any help suggestions would be appreciated.
>>
>>
>> "S. Pidgorny <MVP>" <slavickp@xxxxxxxxx> wrote in message
>> news:u$OLY5ZIGHA.2704@xxxxxxxxxxxxxxxxxxxxxxx
>>>I have used Cisco VPN concentrator and it works fine with IAS on AD
>>>including (IIRC) certificate authentication.
>>>
>>> RADIUS articles @Cisco incl. IAS configs:
>>>
>>> http://cco.cisco.com/en/US/tech/tk583/tk547/tsd_technology_support_sub-protocol_home.html
>>>
>>> --
>>> Svyatoslav Pidgorny, MS MVP - Security, MCSE
>>> -= F1 is the key =-
>>>
>>> "msadexchman" <msadexchman@xxxxxxxxx> wrote in message
>>> news:uiHvcoIIGHA.532@xxxxxxxxxxxxxxxxxxxxxxx
>>>> Hello,
>>>>
>>>> We are presently testing a Cisco 3020 VPN Concentrator to replace our
>>>> existing VPN solution. One of the things we would like to roll out is
>>>> some two factor authentication with our Active Directory. Has anyone
>>>> deployed MS's RADIUS solution of IAS Server in conjunction with a Cisco
>>>> 3020 VPN Concentrator? Do we simply configure the IAS service on one
>>>> of our internal AD domain controllers? What type of ports do we have
>>>> to open up from the DMZ where Concentrator resides to our internal AD?
>>>> Any input would be greatly appreciated.
>>>>
>>>> Regards
>>>>
>>>
>>>
>>
>>
>
>
.
- References:
- IAS Server and Cisco VPN Concentrator
- From: msadexchman
- Re: IAS Server and Cisco VPN Concentrator
- From: msadexchman
- IAS Server and Cisco VPN Concentrator
- Prev by Date: Re: Windows 2003 security issue
- Next by Date: Can't run 16 bit app from network drive in W2003 SP1
- Previous by thread: Re: IAS Server and Cisco VPN Concentrator
- Next by thread: Deny folder access for administrators
- Index(es):
Relevant Pages
|
