The default LAN Manger auth for 2003 is "Send NTLM response only." The default for 2008 is "Send NTLMv2 response only." Since you are having auth problems, and we don't know where they are, and you've got 2 different OSs with 2 different default settings for auth, I thought it was at least worth mentioning. t From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Steven Comeau Sent: Friday, September 11, 2009 9:44 AM To: ISA Mailing List Subject: [isalist] Re: VPN Authentication w/Radius to Server 2008 I would guess policy, but I've tried to mimic the 2003 server settings to a "T" - must be some enhanced Policy setting. Because it works with our 2003 server, I'm less inclined to think NTLM/LM. Steve Comeau Associate Director of IT Rutgers Athletics 83 Rockafeller Road Piscataway, NJ 08854 732-445-7802 732-445-4623 (fax) www.scarletknights.com<http://www.scarletknights.com> [cid:image001.png@01CA32C5.E194C550] [cid:image002.jpg@01CA32C5.E194C550] From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) Sent: Friday, September 11, 2009 12:37 PM To: ISA Mailing List Subject: [isalist] Re: VPN Authentication w/Radius to Server 2008 Sounds like a policy setting or logon requirement is getting in the way. Maybe NTLM/LM settings... From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Steven Comeau Sent: Friday, September 11, 2009 9:16 AM To: ISA Mailing List Subject: [isalist] Re: VPN Authentication w/Radius to Server 2008 I see the connection request in the logs on the DC, even when I try "username" vs "domain\username", but no reason as to why the credentials are rejected. This is why I think it's not RADIUS but something easy but with the user authentication to the domain of the NPS. Steve Comeau Associate Director of IT Rutgers Athletics 83 Rockafeller Road Piscataway, NJ 08854 732-445-7802 732-445-4623 (fax) www.scarletknights.com<http://www.scarletknights.com> [cid:image001.png@01CA32C5.E194C550] [cid:image002.jpg@01CA32C5.E194C550] From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder Sent: Friday, September 11, 2009 11:14 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: VPN Authentication w/Radius to Server 2008 Would be interesting to get a quick NetMon trace to see if the connection requests are even making it to the RADIUS server. ____________________________________________ TOM SHINDER | Sr. Consultant/Technical Writer 206.443.1117 | SHINDER@xxxxxxxxxxxxxxx<mailto:shinder@xxxxxxxxxxxxxxx> 5701 Sixth Avenue South | Seattle, WA 98108 PROWESS | WWW.PROWESSCORP.COM<http://www.prowesscorp.com/> ____________________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Steven Comeau Sent: Friday, September 11, 2009 9:33 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: VPN Authentication w/Radius to Server 2008 No, which is rather odd, unless I'm looking in the wrong place. I've checked the System, Application, and even the NP&AS logs.... I have 4 errors in the NP&AS Server Role Event log, but that was what I expected from fiddling with the RADIUS Server setup (Invalid RADIUS client). Steve Comeau Associate Director of IT Rutgers Athletics 83 Rockafeller Road Piscataway, NJ 08854 732-445-7802 732-445-4623 (fax) www.scarletknights.com<http://www.scarletknights.com> [cid:image001.png@01CA32C5.E194C550] [cid:image002.jpg@01CA32C5.E194C550] From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder Sent: Friday, September 11, 2009 10:06 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: VPN Authentication w/Radius to Server 2008 Do you see anything in the Event Viewer related to these authentication attempts on the NPS machine? Thanks! Tom ____________________________________________ TOM SHINDER | Sr. Consultant/Technical Writer 206.443.1117 | SHINDER@xxxxxxxxxxxxxxx<mailto:shinder@xxxxxxxxxxxxxxx> 5701 Sixth Avenue South | Seattle, WA 98108 PROWESS | WWW.PROWESSCORP.COM<http://www.prowesscorp.com/> ____________________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Steven Comeau Sent: Friday, September 11, 2009 8:55 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: VPN Authentication w/Radius to Server 2008 Thanks Tom and Jim, Yes, Jim, it looks like that. Odd thing is, that I can tell the RADIUS works fine (the client/server piece). However, the 691 error, I think, is the actual authentication against AD because I keep getting the error that the credentials are invalid on the domain. When I disable pieces on the NPS, like the actual RADIUS server, there is no communication between ISA and W2k8 - I get errors I expect. I've done a lot of Googling last night, and many others have the RADIUS working, but in my scenario, the credentials just don't seem to be authenticating against the AD. I've checked the logs, even the event viewer, and when I disable the RADIUS Server, again, I see errors I expect, but when all is configured, I don't see anything in the logs about the rejection of the credentials. I'm sure it's something very simple that is done differently in NPS, probably additional checking, but I've tried to mimic the 2003 policies to a T and can't get in. Steve Comeau Associate Director of IT Rutgers Athletics 83 Rockafeller Road Piscataway, NJ 08854 732-445-7802 732-445-4623 (fax) www.scarletknights.com<http://www.scarletknights.com> [cid:image001.png@01CA32C5.E194C550] [cid:image002.jpg@01CA32C5.E194C550] From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Friday, September 11, 2009 12:24 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: VPN Authentication w/Radius to Server 2008 Gecher RADIUS logs. They're in the same place they were on WS03. Does your RADIUS configuration look like this? [cid:image003.png@01CA32C5.E194C550] From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Steven Comeau Sent: Thursday, September 10, 2009 6:55 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] VPN Authentication w/Radius to Server 2008 Our ISA 2006 box is not on the domain, so we use RADIUS to authenticate VPN users against the Domain. We've been successfully using RADIUS on a Win2003 Server without issue for quite some time now, but I'm now transitioning to Server 2008 and am having a bear of a time with Authenticating users via VPN. All seems to be fine on the actual RADIUS server/client communication, but it appears that NPS on Server 2008 (the IAS replacement) keeps giving me the 691 Error (bad username/password) when I try to VPN. It appears that NPS on Server 2008 can't authenticate users against the Active Directory. I know this isn't really an ISA issue, but if anyone has any help or documents they can point me to, that would be excellent. I've done the MS one on adding the domain\ before the username, but that didn't solve the issue. Anyone have NPS configuration issues with VPN and experience with solving them? Thanks. Steve Comeau Associate Director of IT Rutgers Athletics 83 Rockafeller Road Piscataway, NJ 08854 732-445-7802 732-445-4623 (fax) www.scarletknights.com<http://www.scarletknights.com> [cid:image001.png@01CA32C5.E194C550] [cid:image002.jpg@01CA32C5.E194C550] *** This message contains confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Rutgers University - DIA 83 Rockafeller Road Piscataway, NJ 08854 www.scarletknights.com *** *** This message contains confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Rutgers University - DIA 83 Rockafeller Road Piscataway, NJ 08854 www.scarletknights.com *** *** This message contains confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Rutgers University - DIA 83 Rockafeller Road Piscataway, NJ 08854 www.scarletknights.com *** *** This message contains confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Rutgers University - DIA 83 Rockafeller Road Piscataway, NJ 08854 www.scarletknights.com *** *** This message contains confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Rutgers University - DIA 83 Rockafeller Road Piscataway, NJ 08854 www.scarletknights.com ***