[isalist] Re: VPN Authentication w/Radius to Server 2008
- From: Steven Comeau <scomeau@xxxxxxxxxxxxxxxxxx>
- To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 12 Oct 2009 17:43:52 -0400
Solved!
I had to set the "Type of network access server" setting on the "Overview" tab
of the CRP policy's properties and the Network Policy to "Unspecified" and not
RAS (VPN Dial Up). I knew it was a simple thing, I just couldn't quite figure
it out. http://msdn.microsoft.com/en-us/library/cc243442(PROT.10).aspx
A big help was to see if the Network Policy Server was set to just "Success" or
to "Success and Failure" (auditpol /get /subcategory:"Network Policy Server").
Mine was just "Success", so I had to run: auditpol /set /subcategory:"Network
Policy Server" /success:enable /failure:enable. This allowed me to check the
NPS logs in the Event Viewer which led to the solution.
Thank you all!
Steve Comeau
Associate Director of IT Rutgers Athletics
83 Rockafeller Road
Piscataway, NJ 08854
732-445-7802
732-445-4623 (fax)
www.scarletknights.com<http://www.scarletknights.com>
[cid:image001.png@01CA4B63.8FFC1BB0]
[cid:image002.jpg@01CA4B63.8FFC1BB0]
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Steven Comeau
Sent: Tuesday, October 06, 2009 2:02 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: VPN Authentication w/Radius to Server 2008
Update: I did turn on the netlogon logging, but lo and behold, I don't see my
credentials being entered in the log when I try to VPN in ..... I'm guessing
NPS isn't properly setup? I did register the server in Active Directory and
can see it in the RAS and IAS Servers group of AD&C, even removed it and added
it again, but for some odd reason, NPS is not authenticating against the
domain... I do see it in the RADIUS log (logfiles folder), but not the
NETLOGON log (debug folder).
Steve Comeau
Associate Director of IT Rutgers Athletics
83 Rockafeller Road
Piscataway, NJ 08854
732-445-7802
732-445-4623 (fax)
www.scarletknights.com<http://www.scarletknights.com>
[cid:image003.png@01CA4B63.8FFC1BB0]
[cid:image004.jpg@01CA4B63.8FFC1BB0]
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison
Sent: Tuesday, October 06, 2009 1:41 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: VPN Authentication w/Radius to Server 2008
Did you try any of the suggestions?
We never saw any data fro them..?
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Steven Comeau
Sent: Monday, October 05, 2009 1:42 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: VPN Authentication w/Radius to Server 2008
Okay, I think for the 2nd time in my life, I've got to call Microsoft. This is
bizarre. I point ISA2006 VPN via RADIUS to my 2003 server, no issues with VPN.
The moment I point it toward the 2008 server, and I keep getting the 691 error
of bad username and/or password (BTW, it's not R2 of 2008). I've uninstalled
NPS and tweaked it over and over, but still no go. I know it's got to be
something in the NPS that is not authenticating properly against the domain. I
haven't enabled netlogon logging yet, but this shouldn't be so difficult.......
All the logs on the 2008 server show the connection, username, etc. forwarded
from the ISA server, but not even the Event Viewer logs show anything (even the
NPAS one).
Steve Comeau
Associate Director of IT Rutgers Athletics
83 Rockafeller Road
Piscataway, NJ 08854
732-445-7802
732-445-4623 (fax)
www.scarletknights.com<http://www.scarletknights.com>
[cid:image003.png@01CA4B63.8FFC1BB0]
[cid:image004.jpg@01CA4B63.8FFC1BB0]
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Thomas W Shinder
Sent: Friday, September 25, 2009 12:08 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: VPN Authentication w/Radius to Server 2008
Did this issue get resoved? I've seen other people mention problems with R2 and
VPN authetnication -- but haven't had a chance to check it out myself yet.
____________________________________________
TOM SHINDER | Sr. Consultant/Technical Writer
206.443.1117 | SHINDER@xxxxxxxxxxxxxxx<mailto:shinder@xxxxxxxxxxxxxxx>
5701 Sixth Avenue South | Seattle, WA 98108
PROWESS | WWW.PROWESSCORP.COM<http://www.prowesscorp.com/>
____________________________________________
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison
Sent: Friday, September 11, 2009 1:45 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: VPN Authentication w/Radius to Server 2008
You can also enable netlogon logging at the WS08 DC to see why the auth attempt
failed there.
http://support.microsoft.com/kb/109626 provides instructions...
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Steven Comeau
Sent: Friday, September 11, 2009 10:14 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: VPN Authentication w/Radius to Server 2008
It does, because it works when I change the RADIUS on ISA to use the IAS on the
2003 DC. When I change it to the use NPS on the 2008 server (same domain), it
doesn't get through.
Steve Comeau
Associate Director of IT Rutgers Athletics
83 Rockafeller Road
Piscataway, NJ 08854
732-445-7802
732-445-4623 (fax)
www.scarletknights.com<http://www.scarletknights.com>
[cid:image005.png@01CA4B63.8FFC1BB0]
[cid:image004.jpg@01CA4B63.8FFC1BB0]
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Thomas W Shinder
Sent: Friday, September 11, 2009 12:50 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: VPN Authentication w/Radius to Server 2008
Maybe the account doesn't have dial-in permissions?
____________________________________________
TOM SHINDER | Sr. Consultant/Technical Writer
206.443.1117 | SHINDER@xxxxxxxxxxxxxxx<mailto:shinder@xxxxxxxxxxxxxxx>
5701 Sixth Avenue South | Seattle, WA 98108
PROWESS | WWW.PROWESSCORP.COM<http://www.prowesscorp.com/>
____________________________________________
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Thor (Hammer of God)
Sent: Friday, September 11, 2009 11:37 AM
To: ISA Mailing List
Subject: [isalist] Re: VPN Authentication w/Radius to Server 2008
Sounds like a policy setting or logon requirement is getting in the way. Maybe
NTLM/LM settings...
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Steven Comeau
Sent: Friday, September 11, 2009 9:16 AM
To: ISA Mailing List
Subject: [isalist] Re: VPN Authentication w/Radius to Server 2008
I see the connection request in the logs on the DC, even when I try "username"
vs "domain\username", but no reason as to why the credentials are rejected.
This is why I think it's not RADIUS but something easy but with the user
authentication to the domain of the NPS.
Steve Comeau
Associate Director of IT Rutgers Athletics
83 Rockafeller Road
Piscataway, NJ 08854
732-445-7802
732-445-4623 (fax)
www.scarletknights.com<http://www.scarletknights.com>
[cid:image005.png@01CA4B63.8FFC1BB0]
[cid:image004.jpg@01CA4B63.8FFC1BB0]
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Thomas W Shinder
Sent: Friday, September 11, 2009 11:14 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: VPN Authentication w/Radius to Server 2008
Would be interesting to get a quick NetMon trace to see if the connection
requests are even making it to the RADIUS server.
____________________________________________
TOM SHINDER | Sr. Consultant/Technical Writer
206.443.1117 | SHINDER@xxxxxxxxxxxxxxx<mailto:shinder@xxxxxxxxxxxxxxx>
5701 Sixth Avenue South | Seattle, WA 98108
PROWESS | WWW.PROWESSCORP.COM<http://www.prowesscorp.com/>
____________________________________________
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Steven Comeau
Sent: Friday, September 11, 2009 9:33 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: VPN Authentication w/Radius to Server 2008
No, which is rather odd, unless I'm looking in the wrong place. I've checked
the System, Application, and even the NP&AS logs.... I have 4 errors in the
NP&AS Server Role Event log, but that was what I expected from fiddling with
the RADIUS Server setup (Invalid RADIUS client).
Steve Comeau
Associate Director of IT Rutgers Athletics
83 Rockafeller Road
Piscataway, NJ 08854
732-445-7802
732-445-4623 (fax)
www.scarletknights.com<http://www.scarletknights.com>
[cid:image005.png@01CA4B63.8FFC1BB0]
[cid:image004.jpg@01CA4B63.8FFC1BB0]
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Thomas W Shinder
Sent: Friday, September 11, 2009 10:06 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: VPN Authentication w/Radius to Server 2008
Do you see anything in the Event Viewer related to these authentication
attempts on the NPS machine?
Thanks!
Tom
____________________________________________
TOM SHINDER | Sr. Consultant/Technical Writer
206.443.1117 | SHINDER@xxxxxxxxxxxxxxx<mailto:shinder@xxxxxxxxxxxxxxx>
5701 Sixth Avenue South | Seattle, WA 98108
PROWESS | WWW.PROWESSCORP.COM<http://www.prowesscorp.com/>
____________________________________________
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Steven Comeau
Sent: Friday, September 11, 2009 8:55 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: VPN Authentication w/Radius to Server 2008
Thanks Tom and Jim,
Yes, Jim, it looks like that. Odd thing is, that I can tell the RADIUS works
fine (the client/server piece). However, the 691 error, I think, is the actual
authentication against AD because I keep getting the error that the credentials
are invalid on the domain. When I disable pieces on the NPS, like the actual
RADIUS server, there is no communication between ISA and W2k8 - I get errors I
expect. I've done a lot of Googling last night, and many others have the
RADIUS working, but in my scenario, the credentials just don't seem to be
authenticating against the AD.
I've checked the logs, even the event viewer, and when I disable the RADIUS
Server, again, I see errors I expect, but when all is configured, I don't see
anything in the logs about the rejection of the credentials. I'm sure it's
something very simple that is done differently in NPS, probably additional
checking, but I've tried to mimic the 2003 policies to a T and can't get in.
Steve Comeau
Associate Director of IT Rutgers Athletics
83 Rockafeller Road
Piscataway, NJ 08854
732-445-7802
732-445-4623 (fax)
www.scarletknights.com<http://www.scarletknights.com>
[cid:image005.png@01CA4B63.8FFC1BB0]
[cid:image004.jpg@01CA4B63.8FFC1BB0]
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison
Sent: Friday, September 11, 2009 12:24 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: VPN Authentication w/Radius to Server 2008
Gecher RADIUS logs.
They're in the same place they were on WS03.
Does your RADIUS configuration look like this?
[cid:image006.png@01CA4B63.8FFC1BB0]
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Steven Comeau
Sent: Thursday, September 10, 2009 6:55 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] VPN Authentication w/Radius to Server 2008
Our ISA 2006 box is not on the domain, so we use RADIUS to authenticate VPN
users against the Domain. We've been successfully using RADIUS on a Win2003
Server without issue for quite some time now, but I'm now transitioning to
Server 2008 and am having a bear of a time with Authenticating users via VPN.
All seems to be fine on the actual RADIUS server/client communication, but it
appears that NPS on Server 2008 (the IAS replacement) keeps giving me the 691
Error (bad username/password) when I try to VPN. It appears that NPS on Server
2008 can't authenticate users against the Active Directory.
I know this isn't really an ISA issue, but if anyone has any help or documents
they can point me to, that would be excellent. I've done the MS one on adding
the domain\ before the username, but that didn't solve the issue. Anyone have
NPS configuration issues with VPN and experience with solving them?
Thanks.
Steve Comeau
Associate Director of IT Rutgers Athletics
83 Rockafeller Road
Piscataway, NJ 08854
732-445-7802
732-445-4623 (fax)
www.scarletknights.com<http://www.scarletknights.com>
[cid:image005.png@01CA4B63.8FFC1BB0]
[cid:image004.jpg@01CA4B63.8FFC1BB0]
*** This message contains confidential information and is
intended only for the individual named. If you are not the
named addressee, you should not disseminate, distribute or
copy this e-mail. Please notify the sender immediately by
e-mail if you have received this e-mail by mistake and delete
this e-mail from your system. E-mail transmission cannot be
guaranteed to be secure or error-free as information could be
intercepted, corrupted, lost, destroyed, arrive late or
incomplete, or contain viruses. The sender therefore does not
accept liability for any errors or omissions in the contents of
this message, which arise as a result of e-mail transmission.
If verification is required please request a hard-copy version.
Rutgers University - DIA
83 Rockafeller Road
Piscataway, NJ 08854
www.scarletknights.com ***
*** This message contains confidential information and is
intended only for the individual named. If you are not the
named addressee, you should not disseminate, distribute or
copy this e-mail. Please notify the sender immediately by
e-mail if you have received this e-mail by mistake and delete
this e-mail from your system. E-mail transmission cannot be
guaranteed to be secure or error-free as information could be
intercepted, corrupted, lost, destroyed, arrive late or
incomplete, or contain viruses. The sender therefore does not
accept liability for any errors or omissions in the contents of
this message, which arise as a result of e-mail transmission.
If verification is required please request a hard-copy version.
Rutgers University - DIA
83 Rockafeller Road
Piscataway, NJ 08854
www.scarletknights.com ***
*** This message contains confidential information and is
intended only for the individual named. If you are not the
named addressee, you should not disseminate, distribute or
copy this e-mail. Please notify the sender immediately by
e-mail if you have received this e-mail by mistake and delete
this e-mail from your system. E-mail transmission cannot be
guaranteed to be secure or error-free as information could be
intercepted, corrupted, lost, destroyed, arrive late or
incomplete, or contain viruses. The sender therefore does not
accept liability for any errors or omissions in the contents of
this message, which arise as a result of e-mail transmission.
If verification is required please request a hard-copy version.
Rutgers University - DIA
83 Rockafeller Road
Piscataway, NJ 08854
www.scarletknights.com ***
*** This message contains confidential information and is
intended only for the individual named. If you are not the
named addressee, you should not disseminate, distribute or
copy this e-mail. Please notify the sender immediately by
e-mail if you have received this e-mail by mistake and delete
this e-mail from your system. E-mail transmission cannot be
guaranteed to be secure or error-free as information could be
intercepted, corrupted, lost, destroyed, arrive late or
incomplete, or contain viruses. The sender therefore does not
accept liability for any errors or omissions in the contents of
this message, which arise as a result of e-mail transmission.
If verification is required please request a hard-copy version.
Rutgers University - DIA
83 Rockafeller Road
Piscataway, NJ 08854
www.scarletknights.com ***
*** This message contains confidential information and is
intended only for the individual named. If you are not the
named addressee, you should not disseminate, distribute or
copy this e-mail. Please notify the sender immediately by
e-mail if you have received this e-mail by mistake and delete
this e-mail from your system. E-mail transmission cannot be
guaranteed to be secure or error-free as information could be
intercepted, corrupted, lost, destroyed, arrive late or
incomplete, or contain viruses. The sender therefore does not
accept liability for any errors or omissions in the contents of
this message, which arise as a result of e-mail transmission.
If verification is required please request a hard-copy version.
Rutgers University - DIA
83 Rockafeller Road
Piscataway, NJ 08854
www.scarletknights.com ***
*** This message contains confidential information and is
intended only for the individual named. If you are not the
named addressee, you should not disseminate, distribute or
copy this e-mail. Please notify the sender immediately by
e-mail if you have received this e-mail by mistake and delete
this e-mail from your system. E-mail transmission cannot be
guaranteed to be secure or error-free as information could be
intercepted, corrupted, lost, destroyed, arrive late or
incomplete, or contain viruses. The sender therefore does not
accept liability for any errors or omissions in the contents of
this message, which arise as a result of e-mail transmission.
If verification is required please request a hard-copy version.
Rutgers University - DIA
83 Rockafeller Road
Piscataway, NJ 08854
www.scarletknights.com ***
*** This message contains confidential information and is
intended only for the individual named. If you are not the
named addressee, you should not disseminate, distribute or
copy this e-mail. Please notify the sender immediately by
e-mail if you have received this e-mail by mistake and delete
this e-mail from your system. E-mail transmission cannot be
guaranteed to be secure or error-free as information could be
intercepted, corrupted, lost, destroyed, arrive late or
incomplete, or contain viruses. The sender therefore does not
accept liability for any errors or omissions in the contents of
this message, which arise as a result of e-mail transmission.
If verification is required please request a hard-copy version.
Rutgers University - DIA
83 Rockafeller Road
Piscataway, NJ 08854
www.scarletknights.com ***
*** This message contains confidential information and is
intended only for the individual named. If you are not the
named addressee, you should not disseminate, distribute or
copy this e-mail. Please notify the sender immediately by
e-mail if you have received this e-mail by mistake and delete
this e-mail from your system. E-mail transmission cannot be
guaranteed to be secure or error-free as information could be
intercepted, corrupted, lost, destroyed, arrive late or
incomplete, or contain viruses. The sender therefore does not
accept liability for any errors or omissions in the contents of
this message, which arise as a result of e-mail transmission.
If verification is required please request a hard-copy version.
Rutgers University - DIA
83 Rockafeller Road
Piscataway, NJ 08854
www.scarletknights.com ***
Other related posts:
