Pix 501 VPN Can Not Authenticate Using IAS

[pmore628]

Hey guys,
This is my first attempt at getting a VPN going for some remote users. Fortunately I have a smartnet contract and Cisco did this part of my config... I followed the instructions on how to set up the RADIUS server and it seemed pretty straight forward but soemthing is not right because its not working fully.
At first before we set up the PIX for authentication I could connect with the VPN and ping everything on my network but I could not access any resources. Assuming I needed authentication Cisco then put the correct config in place.

Here is the link they gave me for the RADIUS set up:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration

_example09186a00800b6099.shtml

Here is my config:


PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password
passwd
hostname pixfirewall
domain-name
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list nonat permit ip 192.168.1.0 255.255.255.0 10.89.129.0 255.255.255.0
access-list split_tunnel permit ip 192.168.1.0 255.255.255.0 10.89.129.0 255.255.255.0
access-list 200 permit tcp any host xxx.xxx.xxx.xxx eq 3389
access-list 199 permit ip 10.89.129.0 255.255.255.0 host 192.168.1.254
access-list 199 permit ip host 192.168.1.254 10.89.129.0 255.255.255.0
pager lines 24
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.xxx 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNpool 10.89.129.1-10.89.129.254
pdm location 192.168.1.0 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 192.168.1.254 3389 netmask 255.255.255.255 0 0
access-group 200 in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx x
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth max-failed-attempts 3
aaa-server partnerauth deadtime 10
aaa-server partnerauth (inside) host 192.168.1.254 ciscoVPN timeout 5
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.1.254 C:\TFTP-Root
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dymap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dymap
crypto map mymap client authentication partnerauth
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup RemoteVPN address-pool VPNpool
vpngroup RemoteVPN split-tunnel split_tunnel
vpngroup RemoteVPN idle-time 1800
vpngroup RemoteVPN password
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
management-access inside
console timeout 0
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
username cisco password xxxxxxxxxxxxxxxx encrypted privilege 2
terminal width 80
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxx
: end

If anyone has any experience in this please give me some direction.

Thanks in advance
Pat

 

[brianinms]

So I assume the server at 192.168.1.254 Has IAS installed?

 

[pmore628]

Yes it does... It's a 2003 SBS

Thanks

 

[brianinms]

So what happens when you try to VPN?

 

[pmore628]

So what happens when you try to VPN? "

VPN trys to establish a connection, then it pops up a user name and password (which I am assuming is a user account). then it says authentication failed. And thats as far as I get.

 

[brianinms]

Aight, try a "debug aaa authentication" while you are trying to establish the vpn

 

[pmore628]

Well here it is...

pixfirewall# debug aaa authentication
pixfirewall# 1: xauth authentication in progress for user: , session id: 9504230
31
2: Received response: lbogush, session id 950423031
3: Making authentication request for host 192.168.1.254, user lbogush, session i
d: 950423031
4: Processing challenge for user lbogush, session id: 950423031, challenge: Pass
word:
5: Received xauth challenge: Password: , session id: 950423031
6: Received response: , session id 950423031
7: Making authentication request for host 192.168.1.254, user lbogush, session i
d: 950423031
8: Received response: , session id 950423031
9: Making authentication request for host 192.168.1.254, user lbogush, session i
d: 950423031
10: Received response: , session id 950423031
11: Making authentication request for host 192.168.1.254, user lbogush, session
id: 950423031
12: Received response: , session id 950423031
13: Making authentication request for host 192.168.1.254, user lbogush, session
id: 950423031
14: xauth authentication failed for user: lbogush, session id: 950423031

 

[brianinms]

To me it looks like it is timing out.

 

[pmore628]

To me it looks like it not getting a response to authenticate the user info and like you said it times out...
I'll poke around on the server to see if I missed something.

All I did on the server is create the Radius client with the IP of the inside interface.
And in the connection policies i granted remote access permissions and chose authentication protocol and type of encrytion.
In the user account i left control through remote access policy...

Does anyone know of anything else?

Thanks

 

[brianinms]

I usually create VPN Users group.

http://articles.techrepublic.com.com/5100-1035-6180954.html

 

[pmore628]

Great Link - Thank you. I deleted and configured IAS as that document stated. It made more sense that way too.

At this point I can only test remote connection from a lap top that is not joined to our domain but has wireless broadband. Do you think that will that work?

Thanks

 

[brianinms]

Yes, long as its internet connect is different that yours it should be fine.

 

[pmore628]

Yup - It still doesnt work. I downloaded that tool to view the IAS logs and they say failed at authenticating. I am pretty confident my secret is the same on both PIX and in the IAS config. The users are in groups and using PAP.
Not sure what else to try...

 

[brianinms]

Well change the secret key on both sides.

 

[pmore628]

Changed them and still no dice. I know this is something stpid too

 

[pmore628]

I pulled this out of the event viewer:

User pmore was denied access.
Fully-Qualified-User-Name = LBIAV\pmore
NAS-IP-Address = 192.168.1.1
NAS-Identifier = <not present>
Called-Station-Identifier = <not present>
Calling-Station-Identifier = 69.141.246.143
Client-Friendly-Name = Pix
Client-IP-Address = 192.168.1.1
NAS-Port-Type = <not present>
NAS-Port = 159
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = <undetermined>
Authentication-Type = PAP
EAP-Type = <undetermined>
Reason-Code = 16
Reason = Authentication was not successful because an unknown user name or incorrect password was used.