Security Basics mailing list archives
Secure Windows Domain auth for Cisco 2691 to Win2k or NT 4 Sever via Radius
From: Alfred.Diggs () STIS com
Date: Sat, 16 Aug 2003 21:20:18 -0400
Thanks in advance for any and all help in this situation I have a Cisco 2691 vpn device that has 3 static vpn tunnels to some of our vendors. And since my company ponyied up and bought the 7k device they expect me to use it for everything. I have a remote office in India (developers=24/7 access and big bandwidth)and they need access to our network itself and not Terminal services. Anyway i setup a dynamic vpn pool for use with the Cisco vpn win32 client which works great for authicating to the vpn device, and i can ping everything on the network. The problem is that i cannot connect to anything because Windows doesnt care that Cisco authicated them,It requires domain level authithenication for all resouces. So i setup a radius server on windows 2k member server on a WinNT domain(I know, but there are bugetary issues with the full migration). Anywho it almost seemed as it i was ready to authicate but i kept screwin somthing up. Here is a list of my errors. usernames tried admin1 stelco\admin1 \stelco\admin1 \\stelco\admin1 I created both local and domain accounts for that user name I did play with the sharekey between Cisco and the radius server ON:OFF I also tried this on our WinNT BDC and got basically the same results enviro = win2k pro useing Cisco vpn client over dialup OK here are the event logs from the win2k server i deleted the nt logs due to utter disquest 1: User admin1 was denied access. Fully-Qualified-User-Name = stelco\admin1 NAS-IP-Address = 0.0.0.0 NAS-Identifier = <not present> Called-Station-Identifier = <not present> Calling-Station-Identifier = 66.217.207.114 Client-Friendly-Name = 2691cisco Client-IP-Address = 192.168.10.24 NAS-Port-Type = Virtual NAS-Port = 500 Policy-Name = <undetermined> Authentication-Type = PAP EAP-Type = <undetermined> Reason-Code = 8 Reason = The specified user does not exist. 2: A signature attribute is required in Access-Requests from client 2691cisco. 3: Access request for user \\stelco\admin1 was discarded. Fully-Qualified-User-Name = \\stelco\admin1 NAS-IP-Address = 0.0.0.0 NAS-Identifier = <not present> Called-Station-Identifier = <not present> Calling-Station-Identifier = 66.217.207.114 Client-Friendly-Name = 2691cisco Client-IP-Address = 192.168.10.24 NAS-Port-Type = Virtual NAS-Port = 500 Reason-Code = 6 Reason = The server is unavailable. 4:Access request for user \stelco\admin1 was discarded. Fully-Qualified-User-Name = \stelco\admin1 NAS-IP-Address = 0.0.0.0 NAS-Identifier = <not present> Called-Station-Identifier = <not present> Calling-Station-Identifier = 66.217.207.114 Client-Friendly-Name = 2691cisco Client-IP-Address = 192.168.10.24 NAS-Port-Type = Virtual NAS-Port = 500 Reason-Code = 6 Reason = The server is unavailable. Problem #2 Is more of a technical question than a cry for help. On this same VPN Device as i have mentioned i have 3 static vpn tunnels useing crypto map rookie which are working fine. When i try to set the dynamic vpn tunnel (for the clients) to use the same crypto map my tunnels go down. I know there is almost no limit to the number of virtual tunnels you can have on a device but you are limited to only 1 crypto map per interface. So my question is, is there anyway to get the static and dynamic tunnels to play nice with teh same crypto map or do somthing funky like apply the second crypto map on the inside interface? 15 hours today so im really tired (stupid anti-virus rollout) Thanks again for any and all help Alfred Diggs --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Secure Windows Domain auth for Cisco 2691 to Win2k or NT 4 Sever via Radius Alfred . Diggs (Aug 18)
- RE: Secure Windows Domain auth for Cisco 2691 to Win2k or NT 4 Sever via Radius Israel Hernandez (Aug 18)