[isalist] Re: VPN Authentication w/Radius to Server 2008

  • From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
  • To: <isalist@xxxxxxxxxxxxx>
  • Date: Fri, 11 Sep 2009 11:49:39 -0500

Maybe the account doesn't have dial-in permissions?

 

____________________________________________

TOM SHINDER   |   Sr. Consultant/Technical Writer 
206.443.1117   |   SHINDER@xxxxxxxxxxxxxxx


5701 Sixth Avenue South   |   Seattle, WA 98108  
PROWESS   |   WWW.PROWESSCORP.COM <http://www.prowesscorp.com/> 

____________________________________________

 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Thor (Hammer of God)
Sent: Friday, September 11, 2009 11:37 AM
To: ISA Mailing List
Subject: [isalist] Re: VPN Authentication w/Radius to Server 2008

 

Sounds like a policy setting or logon requirement is getting in the way.
Maybe NTLM/LM settings...

 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Steven Comeau
Sent: Friday, September 11, 2009 9:16 AM
To: ISA Mailing List
Subject: [isalist] Re: VPN Authentication w/Radius to Server 2008

 

I see the connection request in the logs on the DC, even when I try
"username" vs "domain\username", but no reason as to why the credentials
are rejected.  This is why I think it's not RADIUS but something easy
but with the user authentication to the domain of the NPS.

 

Steve Comeau

Associate Director of IT  Rutgers Athletics

83 Rockafeller Road

Piscataway, NJ  08854

732-445-7802

732-445-4623 (fax)

www.scarletknights.com <http://www.scarletknights.com> 

                   

 

   

        

 

 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Thomas W Shinder
Sent: Friday, September 11, 2009 11:14 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: VPN Authentication w/Radius to Server 2008

 

Would be interesting to get a quick NetMon trace to see if the
connection requests are even making it to the RADIUS server.

 

____________________________________________

TOM SHINDER   |   Sr. Consultant/Technical Writer 
206.443.1117   |   SHINDER@xxxxxxxxxxxxxxx


5701 Sixth Avenue South   |   Seattle, WA 98108  
PROWESS   |   WWW.PROWESSCORP.COM <http://www.prowesscorp.com/> 

____________________________________________

 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Steven Comeau
Sent: Friday, September 11, 2009 9:33 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: VPN Authentication w/Radius to Server 2008

 

No, which is rather odd, unless I'm looking in the wrong place.  I've
checked the System, Application, and even the NP&AS logs....  I have 4
errors in the NP&AS Server Role Event log, but that was what I expected
from fiddling with the RADIUS Server setup (Invalid RADIUS client).

 

Steve Comeau

Associate Director of IT  Rutgers Athletics

83 Rockafeller Road

Piscataway, NJ  08854

732-445-7802

732-445-4623 (fax)

www.scarletknights.com <http://www.scarletknights.com> 

                   



  

        

 

 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Thomas W Shinder
Sent: Friday, September 11, 2009 10:06 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: VPN Authentication w/Radius to Server 2008

 

Do you see anything in the Event Viewer related to these authentication
attempts on the NPS machine?

 

Thanks!

Tom

 

____________________________________________

TOM SHINDER   |   Sr. Consultant/Technical Writer 
206.443.1117   |   SHINDER@xxxxxxxxxxxxxxx


5701 Sixth Avenue South   |   Seattle, WA 98108  
PROWESS   |   WWW.PROWESSCORP.COM <http://www.prowesscorp.com/> 

____________________________________________

 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Steven Comeau
Sent: Friday, September 11, 2009 8:55 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: VPN Authentication w/Radius to Server 2008

 

Thanks Tom and Jim,

 

Yes, Jim, it looks like that.  Odd thing is, that I can tell the RADIUS
works fine (the client/server piece).  However, the 691 error, I think,
is the actual authentication against AD because I keep getting the error
that the credentials are invalid on the domain.  When I disable pieces
on the NPS, like the actual RADIUS server, there is no communication
between ISA and W2k8 - I get errors I expect.  I've done a lot of
Googling last night, and many others have the RADIUS working, but in my
scenario, the credentials just don't seem to be authenticating against
the AD.

 

I've checked the logs, even the event viewer, and when I disable the
RADIUS Server, again, I see errors I expect, but when all is configured,
I don't see anything in the logs about the rejection of the credentials.
I'm sure it's something very simple that is done differently in NPS,
probably additional checking, but I've tried to mimic the 2003 policies
to a T and can't get in.

 

Steve Comeau

Associate Director of IT  Rutgers Athletics

83 Rockafeller Road

Piscataway, NJ  08854

732-445-7802

732-445-4623 (fax)

www.scarletknights.com <http://www.scarletknights.com> 

                   



  

        

 

 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Friday, September 11, 2009 12:24 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: VPN Authentication w/Radius to Server 2008

 

Gecher RADIUS logs.

They're in the same place they were on WS03.

Does your RADIUS configuration look like this?

 

 

 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Steven Comeau
Sent: Thursday, September 10, 2009 6:55 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] VPN Authentication w/Radius to Server 2008

 

Our ISA 2006 box is not on the domain, so we use RADIUS to authenticate
VPN users against the Domain.  We've been successfully using RADIUS on a
Win2003 Server without issue for quite some time now, but I'm now
transitioning to Server 2008 and am having a bear of a time with
Authenticating users via VPN.  All seems to be fine on the actual RADIUS
server/client communication, but it appears that NPS on Server 2008 (the
IAS replacement) keeps giving me the 691 Error (bad username/password)
when I try to VPN.  It appears that NPS on Server 2008 can't
authenticate users against the Active Directory.

 

I know this isn't really an ISA issue, but if anyone has any help or
documents they can point me to, that would be excellent.  I've done the
MS one on adding the domain\ before the username, but that didn't solve
the issue.  Anyone have NPS configuration issues with VPN and experience
with solving them?

 

Thanks.

 

Steve Comeau

Associate Director of IT  Rutgers Athletics

83 Rockafeller Road

Piscataway, NJ  08854

732-445-7802

732-445-4623 (fax)

www.scarletknights.com <http://www.scarletknights.com> 

                   



  

        

 

 

***  This message contains confidential information and is
intended only for the individual named. If you are not the
named addressee, you should not disseminate, distribute or
copy this e-mail. Please notify the sender immediately by
e-mail if you have received this e-mail by mistake and delete
this e-mail from your system. E-mail transmission cannot be
guaranteed to be secure or error-free as information could be 
intercepted, corrupted, lost, destroyed, arrive late or
incomplete, or contain viruses.  The sender therefore does not
accept liability for any errors or omissions in the contents of
this message, which arise as a result of e-mail transmission.
If verification is required please request a hard-copy version.
Rutgers University - DIA
83 Rockafeller Road
Piscataway, NJ 08854
www.scarletknights.com *** 
 
***  This message contains confidential information and is
intended only for the individual named. If you are not the
named addressee, you should not disseminate, distribute or
copy this e-mail. Please notify the sender immediately by
e-mail if you have received this e-mail by mistake and delete
this e-mail from your system. E-mail transmission cannot be
guaranteed to be secure or error-free as information could be 
intercepted, corrupted, lost, destroyed, arrive late or
incomplete, or contain viruses.  The sender therefore does not
accept liability for any errors or omissions in the contents of
this message, which arise as a result of e-mail transmission.
If verification is required please request a hard-copy version.
Rutgers University - DIA
83 Rockafeller Road
Piscataway, NJ 08854
www.scarletknights.com *** 
 
***  This message contains confidential information and is
intended only for the individual named. If you are not the
named addressee, you should not disseminate, distribute or
copy this e-mail. Please notify the sender immediately by
e-mail if you have received this e-mail by mistake and delete
this e-mail from your system. E-mail transmission cannot be
guaranteed to be secure or error-free as information could be 
intercepted, corrupted, lost, destroyed, arrive late or
incomplete, or contain viruses.  The sender therefore does not
accept liability for any errors or omissions in the contents of
this message, which arise as a result of e-mail transmission.
If verification is required please request a hard-copy version.
Rutgers University - DIA
83 Rockafeller Road
Piscataway, NJ 08854
www.scarletknights.com *** 
 
***  This message contains confidential information and is
intended only for the individual named. If you are not the
named addressee, you should not disseminate, distribute or
copy this e-mail. Please notify the sender immediately by
e-mail if you have received this e-mail by mistake and delete
this e-mail from your system. E-mail transmission cannot be
guaranteed to be secure or error-free as information could be 
intercepted, corrupted, lost, destroyed, arrive late or
incomplete, or contain viruses.  The sender therefore does not
accept liability for any errors or omissions in the contents of
this message, which arise as a result of e-mail transmission.
If verification is required please request a hard-copy version.
Rutgers University - DIA
83 Rockafeller Road
Piscataway, NJ 08854
www.scarletknights.com *** 
 

PNG image

JPEG image

PNG image

Other related posts: