[isalist] Re: VPN Authentication w/Radius to Server 2008

You can also enable netlogon logging at the WS08 DC to see why the auth attempt 
failed there.
http://support.microsoft.com/kb/109626 provides instructions...


From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Steven Comeau
Sent: Friday, September 11, 2009 10:14 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: VPN Authentication w/Radius to Server 2008

It does, because it works when I change the RADIUS on ISA to use the IAS on the 
2003 DC.  When I change it to the use NPS on the 2008 server (same domain), it 
doesn't get through.

Steve Comeau
Associate Director of IT  Rutgers Athletics
83 Rockafeller Road
Piscataway, NJ  08854
732-445-7802
732-445-4623 (fax)
www.scarletknights.com<http://www.scarletknights.com>


[cid:[email protected]]
  [cid:[email protected]]




From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Thomas W Shinder
Sent: Friday, September 11, 2009 12:50 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: VPN Authentication w/Radius to Server 2008

Maybe the account doesn't have dial-in permissions?

____________________________________________
TOM SHINDER   |   Sr. Consultant/Technical Writer
206.443.1117   |   SHINDER@xxxxxxxxxxxxxxx<mailto:shinder@xxxxxxxxxxxxxxx>

5701 Sixth Avenue South   |   Seattle, WA 98108
PROWESS   |   WWW.PROWESSCORP.COM<http://www.prowesscorp.com/>
____________________________________________

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Thor (Hammer of God)
Sent: Friday, September 11, 2009 11:37 AM
To: ISA Mailing List
Subject: [isalist] Re: VPN Authentication w/Radius to Server 2008

Sounds like a policy setting or logon requirement is getting in the way.  Maybe 
NTLM/LM settings...

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Steven Comeau
Sent: Friday, September 11, 2009 9:16 AM
To: ISA Mailing List
Subject: [isalist] Re: VPN Authentication w/Radius to Server 2008

I see the connection request in the logs on the DC, even when I try "username" 
vs "domain\username", but no reason as to why the credentials are rejected.  
This is why I think it's not RADIUS but something easy but with the user 
authentication to the domain of the NPS.

Steve Comeau
Associate Director of IT  Rutgers Athletics
83 Rockafeller Road
Piscataway, NJ  08854
732-445-7802
732-445-4623 (fax)
www.scarletknights.com<http://www.scarletknights.com>


[cid:[email protected]]
  [cid:[email protected]]




From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Thomas W Shinder
Sent: Friday, September 11, 2009 11:14 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: VPN Authentication w/Radius to Server 2008

Would be interesting to get a quick NetMon trace to see if the connection 
requests are even making it to the RADIUS server.

____________________________________________
TOM SHINDER   |   Sr. Consultant/Technical Writer
206.443.1117   |   SHINDER@xxxxxxxxxxxxxxx<mailto:shinder@xxxxxxxxxxxxxxx>

5701 Sixth Avenue South   |   Seattle, WA 98108
PROWESS   |   WWW.PROWESSCORP.COM<http://www.prowesscorp.com/>
____________________________________________

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Steven Comeau
Sent: Friday, September 11, 2009 9:33 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: VPN Authentication w/Radius to Server 2008

No, which is rather odd, unless I'm looking in the wrong place.  I've checked 
the System, Application, and even the NP&AS logs....  I have 4 errors in the 
NP&AS Server Role Event log, but that was what I expected from fiddling with 
the RADIUS Server setup (Invalid RADIUS client).

Steve Comeau
Associate Director of IT  Rutgers Athletics
83 Rockafeller Road
Piscataway, NJ  08854
732-445-7802
732-445-4623 (fax)
www.scarletknights.com<http://www.scarletknights.com>


[cid:[email protected]]
  [cid:image002.jpg@01CA32D5.4EDE[email protected]]




From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Thomas W Shinder
Sent: Friday, September 11, 2009 10:06 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: VPN Authentication w/Radius to Server 2008

Do you see anything in the Event Viewer related to these authentication 
attempts on the NPS machine?

Thanks!
Tom

____________________________________________
TOM SHINDER   |   Sr. Consultant/Technical Writer
206.443.1117   |   SHINDER@xxxxxxxxxxxxxxx<mailto:shinder@xxxxxxxxxxxxxxx>

5701 Sixth Avenue South   |   Seattle, WA 98108
PROWESS   |   WWW.PROWESSCORP.COM<http://www.prowesscorp.com/>
____________________________________________

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Steven Comeau
Sent: Friday, September 11, 2009 8:55 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: VPN Authentication w/Radius to Server 2008

Thanks Tom and Jim,

Yes, Jim, it looks like that.  Odd thing is, that I can tell the RADIUS works 
fine (the client/server piece).  However, the 691 error, I think, is the actual 
authentication against AD because I keep getting the error that the credentials 
are invalid on the domain.  When I disable pieces on the NPS, like the actual 
RADIUS server, there is no communication between ISA and W2k8 - I get errors I 
expect.  I've done a lot of Googling last night, and many others have the 
RADIUS working, but in my scenario, the credentials just don't seem to be 
authenticating against the AD.

I've checked the logs, even the event viewer, and when I disable the RADIUS 
Server, again, I see errors I expect, but when all is configured, I don't see 
anything in the logs about the rejection of the credentials.  I'm sure it's 
something very simple that is done differently in NPS, probably additional 
checking, but I've tried to mimic the 2003 policies to a T and can't get in.

Steve Comeau
Associate Director of IT  Rutgers Athletics
83 Rockafeller Road
Piscataway, NJ  08854
732-445-7802
732-445-4623 (fax)
www.scarletknights.com<http://www.scarletknights.com>


[cid:[email protected]]
  [cid:[email protected]]




From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jim Harrison
Sent: Friday, September 11, 2009 12:24 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: VPN Authentication w/Radius to Server 2008

Gecher RADIUS logs.
They're in the same place they were on WS03.
Does your RADIUS configuration look like this?
[cid:[email protected]]


From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Steven Comeau
Sent: Thursday, September 10, 2009 6:55 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] VPN Authentication w/Radius to Server 2008

Our ISA 2006 box is not on the domain, so we use RADIUS to authenticate VPN 
users against the Domain.  We've been successfully using RADIUS on a Win2003 
Server without issue for quite some time now, but I'm now transitioning to 
Server 2008 and am having a bear of a time with Authenticating users via VPN.  
All seems to be fine on the actual RADIUS server/client communication, but it 
appears that NPS on Server 2008 (the IAS replacement) keeps giving me the 691 
Error (bad username/password) when I try to VPN.  It appears that NPS on Server 
2008 can't authenticate users against the Active Directory.

I know this isn't really an ISA issue, but if anyone has any help or documents 
they can point me to, that would be excellent.  I've done the MS one on adding 
the domain\ before the username, but that didn't solve the issue.  Anyone have 
NPS configuration issues with VPN and experience with solving them?

Thanks.

Steve Comeau
Associate Director of IT  Rutgers Athletics
83 Rockafeller Road
Piscataway, NJ  08854
732-445-7802
732-445-4623 (fax)
www.scarletknights.com<http://www.scarletknights.com>


[cid:[email protected]]
  [cid:[email protected]]





***  This message contains confidential information and is

intended only for the individual named. If you are not the

named addressee, you should not disseminate, distribute or

copy this e-mail. Please notify the sender immediately by

e-mail if you have received this e-mail by mistake and delete

this e-mail from your system. E-mail transmission cannot be

guaranteed to be secure or error-free as information could be

intercepted, corrupted, lost, destroyed, arrive late or

incomplete, or contain viruses.  The sender therefore does not

accept liability for any errors or omissions in the contents of

this message, which arise as a result of e-mail transmission.

If verification is required please request a hard-copy version.

Rutgers University - DIA

83 Rockafeller Road

Piscataway, NJ 08854

www.scarletknights.com ***



***  This message contains confidential information and is

intended only for the individual named. If you are not the

named addressee, you should not disseminate, distribute or

copy this e-mail. Please notify the sender immediately by

e-mail if you have received this e-mail by mistake and delete

this e-mail from your system. E-mail transmission cannot be

guaranteed to be secure or error-free as information could be

intercepted, corrupted, lost, destroyed, arrive late or

incomplete, or contain viruses.  The sender therefore does not

accept liability for any errors or omissions in the contents of

this message, which arise as a result of e-mail transmission.

If verification is required please request a hard-copy version.

Rutgers University - DIA

83 Rockafeller Road

Piscataway, NJ 08854

www.scarletknights.com ***



***  This message contains confidential information and is

intended only for the individual named. If you are not the

named addressee, you should not disseminate, distribute or

copy this e-mail. Please notify the sender immediately by

e-mail if you have received this e-mail by mistake and delete

this e-mail from your system. E-mail transmission cannot be

guaranteed to be secure or error-free as information could be

intercepted, corrupted, lost, destroyed, arrive late or

incomplete, or contain viruses.  The sender therefore does not

accept liability for any errors or omissions in the contents of

this message, which arise as a result of e-mail transmission.

If verification is required please request a hard-copy version.

Rutgers University - DIA

83 Rockafeller Road

Piscataway, NJ 08854

www.scarletknights.com ***



***  This message contains confidential information and is

intended only for the individual named. If you are not the

named addressee, you should not disseminate, distribute or

copy this e-mail. Please notify the sender immediately by

e-mail if you have received this e-mail by mistake and delete

this e-mail from your system. E-mail transmission cannot be

guaranteed to be secure or error-free as information could be

intercepted, corrupted, lost, destroyed, arrive late or

incomplete, or contain viruses.  The sender therefore does not

accept liability for any errors or omissions in the contents of

this message, which arise as a result of e-mail transmission.

If verification is required please request a hard-copy version.

Rutgers University - DIA

83 Rockafeller Road

Piscataway, NJ 08854

www.scarletknights.com ***



***  This message contains confidential information and is

intended only for the individual named. If you are not the

named addressee, you should not disseminate, distribute or

copy this e-mail. Please notify the sender immediately by

e-mail if you have received this e-mail by mistake and delete

this e-mail from your system. E-mail transmission cannot be

guaranteed to be secure or error-free as information could be

intercepted, corrupted, lost, destroyed, arrive late or

incomplete, or contain viruses.  The sender therefore does not

accept liability for any errors or omissions in the contents of

this message, which arise as a result of e-mail transmission.

If verification is required please request a hard-copy version.

Rutgers University - DIA

83 Rockafeller Road

Piscataway, NJ 08854

www.scarletknights.com ***


PNG image

JPEG image

PNG image

Other related posts: