[isalist] Re: VPN Authentication w/Radius to Server 2008

  • From: Steven Comeau <scomeau@xxxxxxxxxxxxxxxxxx>
  • To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
  • Date: Fri, 11 Sep 2009 12:43:37 -0400

I would guess policy, but I've tried to mimic the 2003 server settings to a "T" 
- must be some enhanced Policy setting.  Because it works with our 2003 server, 
I'm less inclined to think NTLM/LM.

Steve Comeau
Associate Director of IT  Rutgers Athletics
83 Rockafeller Road
Piscataway, NJ  08854
732-445-7802
732-445-4623 (fax)
www.scarletknights.com<http://www.scarletknights.com>


[cid:image004.png@01CA32DD.7B9E8CF0]
  [cid:image005.jpg@01CA32DD.7B9E8CF0]




From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Thor (Hammer of God)
Sent: Friday, September 11, 2009 12:37 PM
To: ISA Mailing List
Subject: [isalist] Re: VPN Authentication w/Radius to Server 2008

Sounds like a policy setting or logon requirement is getting in the way.  Maybe 
NTLM/LM settings...

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Steven Comeau
Sent: Friday, September 11, 2009 9:16 AM
To: ISA Mailing List
Subject: [isalist] Re: VPN Authentication w/Radius to Server 2008

I see the connection request in the logs on the DC, even when I try "username" 
vs "domain\username", but no reason as to why the credentials are rejected.  
This is why I think it's not RADIUS but something easy but with the user 
authentication to the domain of the NPS.

Steve Comeau
Associate Director of IT  Rutgers Athletics
83 Rockafeller Road
Piscataway, NJ  08854
732-445-7802
732-445-4623 (fax)
www.scarletknights.com<http://www.scarletknights.com>


[cid:image006.png@01CA32DD.7B9E8CF0]
  [cid:image007.jpg@01CA32DD.7B9E8CF0]




From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Thomas W Shinder
Sent: Friday, September 11, 2009 11:14 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: VPN Authentication w/Radius to Server 2008

Would be interesting to get a quick NetMon trace to see if the connection 
requests are even making it to the RADIUS server.

____________________________________________
TOM SHINDER   |   Sr. Consultant/Technical Writer
206.443.1117   |   SHINDER@xxxxxxxxxxxxxxx<mailto:shinder@xxxxxxxxxxxxxxx>

5701 Sixth Avenue South   |   Seattle, WA 98108
PROWESS   |   WWW.PROWESSCORP.COM<http://www.prowesscorp.com/>
____________________________________________

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Steven Comeau
Sent: Friday, September 11, 2009 9:33 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: VPN Authentication w/Radius to Server 2008

No, which is rather odd, unless I'm looking in the wrong place.  I've checked 
the System, Application, and even the NP&AS logs....  I have 4 errors in the 
NP&AS Server Role Event log, but that was what I expected from fiddling with 
the RADIUS Server setup (Invalid RADIUS client).

Steve Comeau
Associate Director of IT  Rutgers Athletics
83 Rockafeller Road
Piscataway, NJ  08854
732-445-7802
732-445-4623 (fax)
www.scarletknights.com<http://www.scarletknights.com>


[cid:image006.png@01CA32DD.7B9E8CF0]
  [cid:image007.jpg@01CA32DD.7B9E8CF0]




From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Thomas W Shinder
Sent: Friday, September 11, 2009 10:06 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: VPN Authentication w/Radius to Server 2008

Do you see anything in the Event Viewer related to these authentication 
attempts on the NPS machine?

Thanks!
Tom

____________________________________________
TOM SHINDER   |   Sr. Consultant/Technical Writer
206.443.1117   |   SHINDER@xxxxxxxxxxxxxxx<mailto:shinder@xxxxxxxxxxxxxxx>

5701 Sixth Avenue South   |   Seattle, WA 98108
PROWESS   |   WWW.PROWESSCORP.COM<http://www.prowesscorp.com/>
____________________________________________

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Steven Comeau
Sent: Friday, September 11, 2009 8:55 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: VPN Authentication w/Radius to Server 2008

Thanks Tom and Jim,

Yes, Jim, it looks like that.  Odd thing is, that I can tell the RADIUS works 
fine (the client/server piece).  However, the 691 error, I think, is the actual 
authentication against AD because I keep getting the error that the credentials 
are invalid on the domain.  When I disable pieces on the NPS, like the actual 
RADIUS server, there is no communication between ISA and W2k8 - I get errors I 
expect.  I've done a lot of Googling last night, and many others have the 
RADIUS working, but in my scenario, the credentials just don't seem to be 
authenticating against the AD.

I've checked the logs, even the event viewer, and when I disable the RADIUS 
Server, again, I see errors I expect, but when all is configured, I don't see 
anything in the logs about the rejection of the credentials.  I'm sure it's 
something very simple that is done differently in NPS, probably additional 
checking, but I've tried to mimic the 2003 policies to a T and can't get in.

Steve Comeau
Associate Director of IT  Rutgers Athletics
83 Rockafeller Road
Piscataway, NJ  08854
732-445-7802
732-445-4623 (fax)
www.scarletknights.com<http://www.scarletknights.com>


[cid:image006.png@01CA32DD.7B9E8CF0]
  [cid:image007.jpg@01CA32DD.7B9E8CF0]




From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jim Harrison
Sent: Friday, September 11, 2009 12:24 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: VPN Authentication w/Radius to Server 2008

Gecher RADIUS logs.
They're in the same place they were on WS03.
Does your RADIUS configuration look like this?
[cid:image008.png@01CA32DD.7B9E8CF0]


From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Steven Comeau
Sent: Thursday, September 10, 2009 6:55 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] VPN Authentication w/Radius to Server 2008

Our ISA 2006 box is not on the domain, so we use RADIUS to authenticate VPN 
users against the Domain.  We've been successfully using RADIUS on a Win2003 
Server without issue for quite some time now, but I'm now transitioning to 
Server 2008 and am having a bear of a time with Authenticating users via VPN.  
All seems to be fine on the actual RADIUS server/client communication, but it 
appears that NPS on Server 2008 (the IAS replacement) keeps giving me the 691 
Error (bad username/password) when I try to VPN.  It appears that NPS on Server 
2008 can't authenticate users against the Active Directory.

I know this isn't really an ISA issue, but if anyone has any help or documents 
they can point me to, that would be excellent.  I've done the MS one on adding 
the domain\ before the username, but that didn't solve the issue.  Anyone have 
NPS configuration issues with VPN and experience with solving them?

Thanks.

Steve Comeau
Associate Director of IT  Rutgers Athletics
83 Rockafeller Road
Piscataway, NJ  08854
732-445-7802
732-445-4623 (fax)
www.scarletknights.com<http://www.scarletknights.com>


[cid:image006.png@01CA32DD.7B9E8CF0]
  [cid:image007.jpg@01CA32DD.7B9E8CF0]





***  This message contains confidential information and is

intended only for the individual named. If you are not the

named addressee, you should not disseminate, distribute or

copy this e-mail. Please notify the sender immediately by

e-mail if you have received this e-mail by mistake and delete

this e-mail from your system. E-mail transmission cannot be

guaranteed to be secure or error-free as information could be

intercepted, corrupted, lost, destroyed, arrive late or

incomplete, or contain viruses.  The sender therefore does not

accept liability for any errors or omissions in the contents of

this message, which arise as a result of e-mail transmission.

If verification is required please request a hard-copy version.

Rutgers University - DIA

83 Rockafeller Road

Piscataway, NJ 08854

www.scarletknights.com ***



***  This message contains confidential information and is

intended only for the individual named. If you are not the

named addressee, you should not disseminate, distribute or

copy this e-mail. Please notify the sender immediately by

e-mail if you have received this e-mail by mistake and delete

this e-mail from your system. E-mail transmission cannot be

guaranteed to be secure or error-free as information could be

intercepted, corrupted, lost, destroyed, arrive late or

incomplete, or contain viruses.  The sender therefore does not

accept liability for any errors or omissions in the contents of

this message, which arise as a result of e-mail transmission.

If verification is required please request a hard-copy version.

Rutgers University - DIA

83 Rockafeller Road

Piscataway, NJ 08854

www.scarletknights.com ***



***  This message contains confidential information and is

intended only for the individual named. If you are not the

named addressee, you should not disseminate, distribute or

copy this e-mail. Please notify the sender immediately by

e-mail if you have received this e-mail by mistake and delete

this e-mail from your system. E-mail transmission cannot be

guaranteed to be secure or error-free as information could be

intercepted, corrupted, lost, destroyed, arrive late or

incomplete, or contain viruses.  The sender therefore does not

accept liability for any errors or omissions in the contents of

this message, which arise as a result of e-mail transmission.

If verification is required please request a hard-copy version.

Rutgers University - DIA

83 Rockafeller Road

Piscataway, NJ 08854

www.scarletknights.com ***



***  This message contains confidential information and is

intended only for the individual named. If you are not the

named addressee, you should not disseminate, distribute or

copy this e-mail. Please notify the sender immediately by

e-mail if you have received this e-mail by mistake and delete

this e-mail from your system. E-mail transmission cannot be

guaranteed to be secure or error-free as information could be

intercepted, corrupted, lost, destroyed, arrive late or

incomplete, or contain viruses.  The sender therefore does not

accept liability for any errors or omissions in the contents of

this message, which arise as a result of e-mail transmission.

If verification is required please request a hard-copy version.

Rutgers University - DIA

83 Rockafeller Road

Piscataway, NJ 08854

www.scarletknights.com ***



***  This message contains confidential information and is
intended only for the individual named. If you are not the
named addressee, you should not disseminate, distribute or
copy this e-mail. Please notify the sender immediately by
e-mail if you have received this e-mail by mistake and delete
this e-mail from your system. E-mail transmission cannot be
guaranteed to be secure or error-free as information could be 
intercepted, corrupted, lost, destroyed, arrive late or
incomplete, or contain viruses.  The sender therefore does not
accept liability for any errors or omissions in the contents of
this message, which arise as a result of e-mail transmission.
If verification is required please request a hard-copy version.
Rutgers University - DIA
83 Rockafeller Road
Piscataway, NJ 08854
www.scarletknights.com *** 

PNG image

JPEG image

PNG image

JPEG image

PNG image

Other related posts: