VPN 3005 and Microsoft AD authentication

Similar Messages

• ACS 5.2 and Microsoft AD authentication to IOS

  I am looking for documentaion on implimenting ACS and MS., active directory for authentication to IOS (switches and routers) devices.
  I would like to authenticate with AD, then if not possible local ACS database.

  Please check this link. I believe it covers just what you're asking about.
  More details for setting up your TACACS server with MS AD are in the ACS User Guide here.

• VPN concentrator and webVPN

  Hi,
  Trying to setup VPNc 3005 for WebVPN.
  The VPNc is configured with NTP server so
  the clock is fine. I installed SSL vpn
  client and SecureDesktop software onto the VPNc. Create a local account and
  group. When I perform https://vpnc/admin.html, I can manage the
  VPNc from the external interface so the
  certificate is good.
  When I do http://vpnc from the same XP Service Pack 2 workstation, it attemped
  to install both ssl vpn client and secure desktop onto my winXP, I have admin privilege on the XP machine, then
  it tells me that the vpn concentrator
  has a server certificate error. I've
  attached the screen shot. Anyone know
  what it is? Thanks.

  If you connect to a website that loads content (such as images) from a second, previously unauthenticated server, the content might not be rendered correctly. WebVPN clientless mode does not support websites that require authentication for access to content from secondary servers. When using WebVPN with NAT-T, do not set the NAT-T port to 443. We recommend using port 80 for NAT-T, as firewalls should allow this.
  http://www.cisco.com/en/US/docs/security/vpn3000/vpn3000_41/configuration/guide/webvpnap.html
  http://www.cisco.com/en/US/docs/security/vpn3000/vpn3000_41/quick/start/gs3mgr.html#wp1302684

• Are attributes needed for cisco vpn 3005

  Hey all,
  I am trying to setup radius authentication for my cisco 3005. I am using
  BM 3.8sp3 radius. I have it setup (or at least i can us NTradping and
  authenticate to it).
  I goto 3005 and add radius server as authentication server. When I try to
  test it, I get the follow message on the concentrator:
  Authentication Rejected: Access hours restrictions in effect
  Looking at the debug screen of the radius server, all has succeeded. Is
  there a profile that I need to setup and any attributes to assign to get
  this to work?
  Thanks
  Matt

  I found the answer to my last question, you do need xauth for radius
  > I think I found it. To test authentication I think it uses the base
  group.
  > I did have a time restriction on their.
  >
  > Now for another question: I am testing certificate based authentication
  > and it is working (Using a Novell CA). To get radius authentication to
  > work in conjunction with that. Do I need to use an SA that uses
  > Certificates and XAuth?
  >
  > Thanks
  > Matt
  >
  > > [email protected] schreef:
  > > > I don't have any time restrictions in place. But just in case I set
  > som=
  > > e=20
  > > > up and applied those and I still get the same message.
  > > >=20
  > > > I applied the access time to both a group and the individual user.
  > My=20
  > > > question I have is where would those be applied seeing that the
  user
  > is=
  > > =20
  > > > being authenticated via an external reference.
  > > >=20
  > > > Thanks
  > > > Matt
  > > >=20
  > >
  > > Matt,
  > >
  > > Try to test with a user not a group, make sure you don't have any
  time=20
  > > restrictions on the NDS user and also no Policy Management on your=20
  > > concentrator.
  > >
  > > > I applied the access time to both a group and the individual user.
  > > In the vpn concentrator?
  > >
  > > > My question I have is where would those be applied seeing that
  the=20
  > > user is
  > > > being authenticated via an external reference.
  > >
  > > Radius authentication uses the NDS (well you can configure this
  also=20
  > > otherwise as a radius proxy..).
  > > When configure the nds user with logon restrictions, I'm pretty
  sure=20
  > > that you wont be able to acces your network through the concentrator.
  > >
  > > If you want to restrict the acces to your vpn concentrator than you
  have
  > =
  > >
  > > to use the policy base mangement of your vpn concentrator.
  > >
  > > You can set acces hours to the groups created on the vpn
  concentrator,=20
  > > and throug radius you can sent attributes that will be used to
  indentify
  > =
  > >
  > > which group the user will be put in when the user authenticating to
  > the=20
  > > vpn concentrator.
  > >
  > > Hope this makes sense....
  > >
  > > gl,
  > >
  > > Louis G=F6hl
  >

• Strange issue with 3.6.3 VPN Client and IOS firewall

  I'm able to establish a VPN connection from the VPN Client to the e0/0 interface of the IOS FW/VPN router and pass encrypted traffic.
  Whenever I initiate a connection to something on the "Internet" from the LAN (e0/1) of the router, a temporary ACL entry is added to ACL 103 as it should be and I'm able to get out on the Internet from the internal LAN; however, I immediately lose my VPN connection from my PC Client when IOS FW adds those temporary "return entries".
  Router is running 12.2(13)T.
  Anyone else having issues like that? I've looked everywhere on cisco.com and elsewhere but I don't see anyone having a similar issue.
  You Cisco gurus have any thoughts?
  Thanks,
  Jamey
  Config below:
  jamey#wr t
  Building configuration...
  Current configuration : 3947 bytes
  ! Last configuration change at 16:27:03 GMT Wed Jan 22 2003 by jdepp
  ! NVRAM config last updated at 00:14:38 GMT Wed Jan 22 2003 by jdepp
  version 12.2
  service timestamps debug datetime msec
  service timestamps log datetime msec localtime show-timezone
  service password-encryption
  hostname "jamey"
  no logging buffered
  no logging console
  username XXXX password 7 XXXXX
  clock timezone GMT 0
  aaa new-model
  aaa authentication login tac local
  aaa session-id common
  ip subnet-zero
  no ip domain lookup
  ip inspect name myfw ftp
  ip inspect name myfw realaudio
  ip inspect name myfw smtp
  ip inspect name myfw streamworks
  ip inspect name myfw vdolive
  ip inspect name myfw tftp
  ip inspect name myfw rcmd
  ip inspect name myfw tcp
  ip inspect name myfw udp
  ip inspect name firewall http java-list 3
  ip audit notify log
  ip audit po max-events 100
  crypto isakmp policy 3
  encr 3des
  hash md5
  authentication pre-share
  group 2
  crypto isakmp nat keepalive 20
  crypto isakmp client configuration group XXXX
  key XXXXXXX
  dns x.x.x.x
  domain xxx.com
  pool ipsec-pool
  acl 191
  crypto ipsec security-association lifetime kilobytes 536870911
  crypto ipsec security-association lifetime seconds 86400
  crypto ipsec transform-set foxset esp-3des esp-md5-hmac
  crypto dynamic-map dynmap 10
  set transform-set foxset
  crypto map clientmap client authentication list tac
  crypto map clientmap isakmp authorization list XXXXX
  crypto map clientmap client configuration address respond
  crypto map clientmap 10 ipsec-isakmp dynamic dynmap
  interface Loopback10
  description just for test purposes
  ip address 172.16.45.1 255.255.255.0
  interface Ethernet0/0
  description "Internet"
  ip address x.x.x.x 255.255.255.224
  ip access-group 103 in
  ip inspect myfw out
  no ip route-cache
  no ip mroute-cache
  half-duplex
  crypto map clientmap
  interface Ethernet0/1
  description "LAN"
  ip address 192.168.45.89 255.255.255.0
  no ip route-cache
  no ip mroute-cache
  half-duplex
  ip local pool ipsec-pool 192.168.100.1 192.168.100.254
  ip classless
  ip route 0.0.0.0 0.0.0.0 Ethernet0/0
  no logging trap
  access-list 3 permit any
  access-list 103 permit ip 192.168.100.0 0.0.0.255 any log
  access-list 103 permit icmp any any log
  access-list 103 permit udp any eq isakmp any log
  access-list 103 permit esp any any log
  access-list 103 permit ahp any any log
  access-list 103 permit udp any any eq non500-isakmp log
  access-list 103 permit tcp any any eq 1723 log
  access-list 103 permit udp any any eq 1723 log
  access-list 103 deny tcp any any log
  access-list 103 deny udp any any log
  access-list 191 permit ip 192.168.45.0 0.0.0.255 192.168.100.0 0.0.0.255
  access-list 191 permit ip 172.16.45.0 0.0.0.255 192.168.100.0 0.0.0.255
  radius-server authorization permit missing Service-Type
  call rsvp-sync
  line con 0
  line aux 0
  line vty 0 4
  exec-timeout 0 0
  password XXXXXX
  line vty 5 15
  end
  Some debugging info:
  At this point, my VPN PC is successfully connected to the e0/0 VPN router and assigned IP of 192.168.100.2. It is running constant pings to 192.168.45.67 and 172.16.45.1 (172.16.45.1 is a loopback on the router for testing), 192.168.45.67 is a host on the internal network.
  .Jan 22 01:27:38.284: ICMP type=8, code=0
  .Jan 22 01:27:38.288: IP: s=192.168.45.67 (Ethernet0/1), d=192.168.100.2 (Ethern
  et0/0), g=192.168.100.2, len 60, forward
  .Jan 22 01:27:38.288: ICMP type=0, code=0
  .Jan 22 01:27:38.637: IP: s=192.168.45.145 (Ethernet0/0), d=255.255.255.255, len
  40, access denied
  .Jan 22 01:27:38.637: UDP src=2301, dst=2301
  .Jan 22 01:27:38.641: IP: s=192.168.45.145 (Ethernet0/1), d=255.255.255.255, len
  40, rcvd 2
  .Jan 22 01:27:38.641: UDP src=2301, dst=2301
  .Jan 22 01:27:38.761: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
  et0/0), len 112, rcvd 3, proto=50
  .Jan 22 01:27:38.765: IP: s=192.168.100.2 (Ethernet0/0), d=172.16.45.1, len 60,
  rcvd 4
  .Jan 22 01:27:38.765: ICMP type=8, code=0
  .Jan 22 01:27:38.765: IP: s=172.16.45.1 (local), d=192.168.100.2 (Ethernet0/0),
  len 60, sending
  .Jan 22 01:27:38.765: ICMP type=0, code=0
  .Jan 22 01:27:39.282: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
  et0/0), len 112, rcvd 3, proto=50
  .Jan 22 01:27:39.286: IP: s=192.168.100.2 (Ethernet0/0), d=192.168.45.67 (Ethern
  et0/1), g=192.168.45.67, len 60, forward
  .Jan 22 01:27:39.286: ICMP type=8, code=0
  .Jan 22 01:27:39.286: IP: s=192.168.45.67 (Ethernet0/1), d=192.168.100.2 (Ethern
  et0/0), g=192.168.100.2, len 60, forward
  .Jan 22 01:27:39.290: ICMP type=0, code=0
  .Jan 22 01:27:39.763: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
  et0/0), len 112, rcvd 3, proto=50
  .Jan 22 01:27:39.767: IP: s=192.168.100.2 (Ethernet0/0), d=172.16.45.1, len 60,
  rcvd 4
  .Jan 22 01:27:39.767: ICMP type=8, code=0
  .Jan 22 01:27:39.767: IP: s=172.16.45.1 (local), d=192.168.100.2 (Ethernet0/0),
  len 60, sending
  .Jan 22 01:27:39.767: ICMP type=0, code=0
  .Jan 22 01:27:40.283: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
  et0/0), len 112, rcvd 3, proto=50
  .Jan 22 01:27:40.287: IP: s=192.168.100.2 (Ethernet0/0), d=192.168.45.67 (Ethern
  et0/1), g=192.168.45.67, len 60, forward
  .Jan 22 01:27:40.287: ICMP type=8, code=0
  .Jan 22 01:27:40.287: IP: s=192.168.45.67 (Ethernet0/1), d=192.168.100.2 (Ethern
  et0/0), g=192.168.100.2, len 60, forward
  .Jan 22 01:27:40.291: ICMP type=0, code=0
  .Jan 22 01:27:40.596 GMT: %SEC-6-IPACCESSLOGNP: list 103 permitted 50 216.16.193
  .52 -> <VPN ROUTER E0/0 INTERFACE>, 222 packets
  .Jan 22 01:27:40.596 GMT: %SEC-6-IPACCESSLOGP: list 103 permitted udp 216.16.193
  .52(500) -> <VPN ROUTER E0/0 INTERFACE>(500), 16 packets
  here is where I initiate a telnet connection to a host 2.2.2.2 (a dummy host on the "Internet")
  from a host on the internal side (LAN) (192.168.45.1)
  .Jan 22 01:27:40.600: IP: s=192.168.45.1 (Ethernet0/1), d=2.2.2.2 (Ethernet0/0),
  g=2.2.2.2, len 44, forward
  .Jan 22 01:27:40.600: TCP src=38471, dst=23, seq=953962328, ack=0, win=4128
  SYN
  .Jan 22 01:27:40.764: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
  et0/0), len 112, rcvd 3, proto=50
  here is where by VPN connection breaks
  .Jan 22 01:27:40.768: IPSEC(epa_des_crypt): decrypted packet failed SA identity
  check
  .Jan 22 01:27:41.285: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
  et0/0), len 112, rcvd 3, proto=50
  .Jan 22 01:27:41.285: IPSEC(epa_des_crypt): decrypted packet failed SA identity
  check
  .Jan 22 01:27:45.773: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
  et0/0), len 112, rcvd 3, proto=50
  .Jan 22 01:27:45.777: IPSEC(epa_des_crypt): decrypted packet failed SA identity
  check
  .Jan 22 01:27:46.774: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
  et0/0), len 112, rcvd 3, proto=50
  .Jan 22 01:27:46.774: IPSEC(epa_des_crypt): decrypted packet failed SA identity
  check

  Ok..I found the bug ID for this:
  CSCdz46552
  the workaround says to configure an ACL on the dynamic ACL.
  I don't understand what that means.
  I found this link:
  http://www.cisco.com/en/US/products/sw/secursw/ps2138/products_maintenance_guide_chapter09186a008007da4d.html#96393
  and they talk about it, but I'm having a hard time decoding what this means:
  "To specify an extended access list for a crypto map entry, enter the match address crypto map configuration command. This access list determines which traffic should be protected by IPSec and which traffic should not be protected by IPSec. If this is configured, the data flow identity proposed by the IPSec peer must fall within a permit statement for this crypto access list. If this is not configured, the router will accept any data flow identity proposed by the IPSec peer. However, if this is configured but the specified access list does not exist or is empty, the router will drop all packets."

• VPN client and Cisco ACS

  hi,
  I'm trying to setup a VPN solution, connecting to a 800 series router and authenticating off a Cisco ACS tacacs server.
  I've basically followed the suggested config at http://www.cisco.com/en/US/customer/tech/tk59/technologies_configuration_example09186a00800a393b.shtml and the setup works fine if I use local authentication, but as soon as I switch to using TACACS the client authentication fails.
  Debugging tacacs on the router i can see the requests being sent to the server, and the replies coming back - the login detail are definitely correct so I'm guessing that TACACS isn't authorising me to use VPN or IPSEC or something. But there is nothing in the ACS logs to suggest why I'm not getting through - no failed attempts are shown.
  Any ideas?

  here is some debug from the router:
  Feb 24 12:28:58.973 UTC: TPLUS: processing authentication start request id 129
  Feb 24 12:28:58.973 UTC: TPLUS: Authentication start packet created for 129(vpngroup)
  Feb 24 12:28:58.973 UTC: TPLUS: Using server 10.10.10.10
  Feb 24 12:28:58.973 UTC: TPLUS(00000081)/0/NB_WAIT/823A9F04: Started 5 sec timeout
  Feb 24 12:28:58.989 UTC: TPLUS(00000081)/0/NB_WAIT: socket event 2
  Feb 24 12:28:58.989 UTC: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
  Feb 24 12:28:58.989 UTC: T+: session_id 1729330768 (0x67137E50), dlen 16 (0x10)
  Feb 24 12:28:58.989 UTC: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii
  Feb 24 12:28:58.989 UTC: T+: svc:LOGIN user_len:8 port_len:0 (0x0) raddr_len:0 (0x0) data_len:0
  Feb 24 12:28:58.989 UTC: T+: user: vpntest
  Feb 24 12:28:58.989 UTC: T+: port:
  Feb 24 12:28:58.989 UTC: T+: rem_addr:
  Feb 24 12:28:58.989 UTC: T+: data:
  Feb 24 12:28:58.989 UTC: T+: End Packet
  Feb 24 12:28:58.989 UTC: TPLUS(00000081)/0/NB_WAIT: wrote entire 28 bytes request
  Feb 24 12:28:58.993 UTC: TPLUS(00000081)/0/READ: socket event 1
  Feb 24 12:28:58.993 UTC: TPLUS(00000081)/0/READ: Would block while reading
  Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: socket event 1
  Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: read entire 12 header bytes (expect 16 bytes data)
  Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: socket event 1
  Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: read entire 28 bytes response
  Feb 24 12:28:59.009 UTC: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
  Feb 24 12:28:59.009 UTC: T+: session_id 1729330768 (0x67137E50), dlen 16 (0x10)
  Feb 24 12:28:59.009 UTC: T+: AUTHEN/REPLY status:5 flags:0x1 msg_len:10, data_len:0
  Feb 24 12:28:59.009 UTC: T+: msg: Password:
  Feb 24 12:28:59.009 UTC: T+: data:
  Feb 24 12:28:59.009 UTC: T+: End Packet
  s9990-cr#
  Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/823A9F04: Processing the reply packet
  Feb 24 12:28:59.009 UTC: TPLUS: Received authen response status GET_PASSWORD (8)
  "AUTHEN/REPLY status:5" is a permanent fail according to the TACACS RFC
  In the VPN Client log it say "User does not provide any authentication data"
  So to summarise:
  -Same ACS server\router\username combination works fine for telnet access.
  -VPN works fine with local authentication.
  -No login failures showing in the ACS logs.

• VPN between ASA5505 Easy VPN Server and 881G Router as Easy VPN Client

  Hello,
  I have problem in VPN between ASA5505 Easy VPN Server and 881G Router as Easy VPN Client. ASA 5505 have 7.2.3 software and 881G router have 15.1 software.
  881G is configured as hardware client in network exstention mode, and it is placed behind NAT. ASA5505 is working as server. Same VPN Group works correctly from VPN software clients.
  When I send traffic from 881G client side, in show cryto sessin detail I see encrypted packets. But with same command I dont see decrypted packet on ASA5505 side. On both devices Phase 1 and Phase 2 are UP. 
  VPN is working when I replace ASA5505 with ASA5510  correctly with have 8.4.6 software. But problem is that i need to do this VPN between ASA5505 and 881G.
  Can you help me, how can I debug or troubleshoot this problem ?
  I am unable to update software on ASA5505 side.

  Hello,
  Hire is what my config look like:
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto dynamic-map outside_dyn_map 20 set pfs
  crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 40 set pfs
  crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 60 set pfs
  crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 80 set pfs
  crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 100 set pfs
  crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 120 set pfs
  crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 140 set pfs
  crypto dynamic-map outside_dyn_map 140 set transform-set ESP-AES-128-SHA
  crypto dynamic-map outside_dyn_map 160 set pfs
  crypto dynamic-map outside_dyn_map 160 set transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 180 set pfs
  crypto dynamic-map outside_dyn_map 180 set transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 200 set pfs
  crypto dynamic-map outside_dyn_map 200 set transform-set ESP-AES-256-SHA
  crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 1
   authentication pre-share
   encryption 3des
   hash sha
   group 2
   lifetime 86400
  crypto isakmp policy 2
   authentication pre-share
   encryption 3des
   hash sha
   group 1
   lifetime 86400
  crypto isakmp policy 3
   authentication pre-share
   encryption des
   hash sha
   group 2
   lifetime 86400
  tunnel-group HW-CLIENT-GROUPR type ipsec-ra
  tunnel-group HW-CLIENT-GROUP general-attributes
   address-pool HW-CLIENT-GROUP-POOL
   default-group-policy HW-CLIENT-GROUP
  tunnel-group HW-CLIENT-GROUP ipsec-attributes
   pre-shared-key *******
  group-policy HW-CLIENT-GROUP internal
  group-policy HW-CLIENT-GROUP attributes
   password-storage enable
   split-tunnel-policy tunnelspecified
   split-tunnel-network-list value cisco_splitTunnelAcl
   nem enable

• Integration between WLC 5508 and Microsoft NPS 2008

  Hi guys,
  Any of you, have working guidance for WLC 5508 and Microsoft NPS 2008 integration?
  I managed to configure Wireless 802.1x feature (PEAP) but it failed. I'm running software ver. 7.0.116.0.
  Is there any bug related 802.1x on this software version?
  thanks in advance.
  BR
  shendy

  Hi Shendy,
  I am not aware about any bug related to this. I think you better check all configuration and make sure it is fine.
  Logs from NPS and WLC (and possibly from the supplicant) may guide you where the problem resides.
  What does the NPS logs tell about the reason of the authentication failure?
  What does the WLC logs say about the failure (check show msglog and show traplog).
  - Make sure the Radius server added correctly with correct IP and correct shared secret on WLC.
  - Make sure that the radius is configured correctly to allow PEAP-MSCHAPv2.
  - Make sure WLC is added successfully to WLC with correct IP address and correct shared secret.
  - Make sure the clients are correctly configured and the server's (NPS) certificate is trusted on the clients.
  HTH
  Amjad

• IPad 802.1x and Microsoft RADIUS

  Is anyone running iPad 2's in the enterprise using Microsoft RADIUS server? Now I understand that you can't use device certs because iPads cannot be joined to the domain, but I can use user certs. Now I read that iOS support PKCS#1 and #12, but I do not have this option on my CA for a cert request? Can someone share some tips on how they deployed these devices on the enterprise network? I could really use some help here. Thanks.

  > [email protected] wrote:
  >
  > > You can do 802.1x authentication in Windows XP and 2000 with service
  pack
  > > 3 or above withou the Odyssey client. You can see this when you right
  > > click on your network card, choos properties and you should see an
  > > authentication tab if you have XP or 2000 with the right service
  pack.
  > > This is built into Windows and will use the users login name and
  password
  > > for authentication.
  >
  > Yes, I'm quite aware of that. I just didn't understand what you meant
  by
  > "override" in this context. The bottom line is that yes, you can use
  OK. As long as I can use the Novell Client and Windows for
  authentication. The testing that we are doing is using Direct XML on the
  Novell Server and Remote Loader on an AD server with IAS. The user names
  and groups are synchronized to AD. THe authentication with then happend
  at the AD server with IAS.
  > the Windows client to authenticate against 802.1x compliant RADIUS
  > servers, and NO, Novell's is not 802.1x compliant, and never will be.
  > It's *possible* (but not confirmed) that Novell may be providing
  > detailed and supported steps to get freeRADIUS working for such tasks,
  > though. That's all I can tell you as that's all I know.
  >
  > --
  > Jim
  > NSC SYsop

• VPN 3005 with 3002 Hardware Client

  I have a VPN3002 Hardware Client (172.16.1.x) that is accessing a VPN3005 Concentrator (192.168.x.x) in Network Extension Mode. On the VPN3005, I have a LAN-to-LAN connection to another VPN device. I can access addresses in all scenarios except for from devices behind the Hardware Client through the LAN-to-LAN tunnel. In other words, addresses behind the Hardware Client (172.16.1.x) cannot access addresses through the LAN-to-LAN.
  Devices on the network behind the Concentrator (192.168.x.x) CAN access addresses through the LAN-to-LAN and there is bi-directional communication between the network behind the 3005 and behind the 3002 client.
  Can anyone help? Thank you.

  The 3000 is only going to send traffic over the L2L tunnel that is sourced from the Local Network and going to the Remote Network. Trafic from behind the 3002 is NOT going to match this based on the fact you're NAT'ing all the locla traffic to some other address.
  I presume you have done this NAT'ing on some device before the 3000, in wihch case there's no way to get the 3002 traffic to also be NAT'd since it is going to come in and go straight back out the Public interface of the 3000.
  You will have to add another line to your Local Network list that defines the traffic behind the 3002. Similarly, the remote end is going to have to add this same network to their Remote network list. Unless you do that, or find some way to NAT the 3002 traffic to the same address, the 3005 is NOT going to send it over the tunnel because you haven't told it to.

• Errors while applying Thawte SSL cert to VPN 3005?

  I have recently requested a 128-bit SSL cert from Thawte for my VPN 3005, yet I continue to get "Parse Error" notifications when I try to install the cert. Has anyone been able to successfully apply a Thawte SSL cert to thei VPN 3005? The unit is running the very latest version of the Cisco 3000 VPN software.

  Hi,
  If the patch was applied succesfully and listed in ad_bugs then u can ignore these warnings and proceed to apply the patch u listed above.
  Getting warning messages when starting adadmin - generate JAR Files [ID 312594.1]      
  Regards

• Group matching from Ace SecureID-server to VPN 3005?

  Hi
  Is it possible to do group-matching between a Ace Server SecureID and VPN 3005 concentrator?
  That is, I want different users to match different group settings in the VPN 3005, based on which group they are in in the Ace Server.
  If Yes: how? :-)
  Regards
  Jimmy

  Hello!
  Well yes it would work. BUT...you have to change your config a bit. First you need to apply your accesslist to both interfaces, or the ACE will reject it, because it is acting as a firewall by default. And second you have to apply the policymap to both interfaces as well or you put the policymap globally on the ACE.

• Allow join domain and user AD authentication through WatchGuard UTM

  The question you have, suggests me, that you are not using WSM to manage your firewall?
  You should use the traffic monitor in the Firebox system Manager, zhat is part of the WSM install and watch the traffic between your DC and a test computer. Therefor you can set a filter in the traffic monitor, so you will be shown only the traffic of your test computer. If some kind of traffic is blocked from or to your test computer, it will be shown as a red line. If you analyze this line, you will see exactly what port it was, that was denied.
  In general tho I think, that all you need is to appoint your clients the use of a DNS server, that is 'AD aware' (has the needed A records you need for AD) and a SMB rule, that will allow SMB traffic to you MS subnet.

  hi all,
  I am configuring new WatchGuard UTM to have 3 different VLANs, for server, staff and students. My target is to allow computers from staff and students to connect DCs on server VLAN and join domain; and staff/student to logon successfully. 
  I found the link below and successfully configured to allow DC replication. 
  https://support.microsoft.com/en-us/kb/832017
  However for computer to join domain and user AD authentication, I could not come up with a list of ports to open on WatchGuard.
  Any suggestions on this would be much appreciated.
  Peter 
  This topic first appeared in the Spiceworks Community

• Mail and Microsoft exchange server problems

  My company is moving to Microsoft exchange servers now, and for some reason, Mail cannot work.
  There are several settings that are possible to set in Thunderbird, but that are not even options in Mail. These are settings such as "TLS".
  Is there any way to make the same settings in mail that are possible in Thunderbird?

  Hi Budgie
  I can confirm that provided your administrator configures the Exchange server for IMAP (Mail uses IMAP to connect) that yes, Mail can be used effectively with Exchange and messages will remain on the server; though the set up can be misleading.
  For me at least, when you get to Outgoing Server Settings, the set-up panel does not allow you to enter an authentication type, and entering my user name and password will get the following response:
  The SMTP server “xxxxx.xxxxxxxxxxxxxxxxxxx.com:username” is not responding. Check your network connection and that you entered the correct information in the “Outgoing Mail Server” field. If it still doesn’t respond, the server might be temporarily unavailable.
  If you continue, you may not be able to send any mail.
  When I click continue, the authentication panel comes up, and by changing authentication to NTLM and entering the Domain name - everything works perfectly!
  The only other nuisance is that Mail looks at the Exchange Calendar and Personal Folders/Contacts folders as mail folders, but cannot display the contents in the way Outlook or Entourage does, and I have not found a way of eliminating them from the folder list.
  I hope this helps.

• Issue with Verizon Aircards passing traffic past VPN 3005

  We have a Cisco VPN 3005 as our endpoint. Clients connection using the Cisco 4.7 client. Currently here is the basic config on the device:
  Pub Interface 65.xxx.xxx.xxx
  Private Interface 172.22.0.3/16
  VPN Addy Pool 172.31.1.0/28
  Static routing is used to route traffic as necessary.
  Clients can connect via wireless broadband or broadband and ping past the VPN Private interface and open up Outlook using an online exhcange profile. But clients connecting over an EVDO or 3G cellular modem cannot open Outlook. They can ping by IP but not DNS.
  I have tried using different transports ie , IPSEC/UDP , IPSEC/TCP , and straight IPSEC. No joy. All the clients have allow local LAN access checked and the VPN Group is set to tunnel traffic in that network only. Any clues??

  Issue has been resolved. Clearing DNS with an ipconfig /flushdns , ipconfig /registerdns while on aircards on VPN resolved it.