VPN 3005 and Microsoft AD authentication
I would like to use Microsoft Active
Directory (AD) to authenticate
remote access users connecting to the
VPN3005 concentrator. Everything is
working fine but I want the VPN3k to use
microsoft ds (tcp port 445) instead of
netbios (tcp port 139) when it communicates with the AD server.
In the vpn 3005 I specified port 445
as the communication port between vpn3k
and the AD server but in my tcpdump,
i see this:
[Expert@cp]# tcpdump -i eth1 -n host 192.168.1.4
tcpdump: listening on eth1
14:41:54.664335 192.168.1.4.1034 > 10.250.97.29.netbios-ssn: S 1464837366:1464837366(0) win 8192 <mss 1460,nop,wscale 0,nop,nop,timestamp 732419 0>
14:41:54.666758 192.168.1.4.1034 > 10.250.97.29.netbios-ssn: . ack 2621223901 win 8192 <nop,nop,timestamp 732419 0>
14:41:54.669135 192.168.1.4.1034 > 10.250.97.29.netbios-ssn: P 0:72(72) ack 1 win 8192 <nop,nop,timestamp 732419 0>NBT Packet
14:41:54.671835 192.168.1.4.1034 > 10.250.97.29.netbios-ssn: P 72:240(168) ack 5 win 8192 <nop,nop,timestamp 732419 579729>NBT Packet
14:41:54.700474 192.168.1.4.1034 > 10.250.97.29.netbios-ssn: P 240:371(131) ack 110 win 8192 <nop,nop,timestamp 732419 579729>NBT Packet
14:41:54.704467 192.168.1.4.1034 > 10.250.97.29.netbios-ssn: P 371:414(43) ack 223 win 8192 <nop,nop,timestamp 732419 579729>NBT Packet
14:41:54.706526 192.168.1.4.1034 > 10.250.97.29.netbios-ssn: F 414:414(0) ack 262 win 8192 <nop,nop,timestamp 732419 579729>
14:41:54.715653 192.168.1.4.1034 > 10.250.97.29.netbios-ssn: . ack 263 win 8192 <nop,nop,timestamp 732419 579729>
obviously, it is using port 139 instead
of port 445.
How can I fix this on the vpn3k? Thanks.
Hi Kevin, I've looked at this message to see any replies for a while and I don't know if you have already resolved this issue.. I used vpn3005 as well but use different method of authentication which is RADIUS from our Windows AD, I tend to believe this may be more of a PPTP client netbios setup and not the VPN , where? I don't know but clearly the tcpdump the client is initiating netbios session and even though vpn is setup for port 445 it still forwards netbios port... well just a thought .
Rgds
Jorge
Similar Messages
-
ACS 5.2 and Microsoft AD authentication to IOS
I am looking for documentaion on implimenting ACS and MS., active directory for authentication to IOS (switches and routers) devices.
I would like to authenticate with AD, then if not possible local ACS database.Please check this link. I believe it covers just what you're asking about.
More details for setting up your TACACS server with MS AD are in the ACS User Guide here. -
Hi,
Trying to setup VPNc 3005 for WebVPN.
The VPNc is configured with NTP server so
the clock is fine. I installed SSL vpn
client and SecureDesktop software onto the VPNc. Create a local account and
group. When I perform https://vpnc/admin.html, I can manage the
VPNc from the external interface so the
certificate is good.
When I do http://vpnc from the same XP Service Pack 2 workstation, it attemped
to install both ssl vpn client and secure desktop onto my winXP, I have admin privilege on the XP machine, then
it tells me that the vpn concentrator
has a server certificate error. I've
attached the screen shot. Anyone know
what it is? Thanks.If you connect to a website that loads content (such as images) from a second, previously unauthenticated server, the content might not be rendered correctly. WebVPN clientless mode does not support websites that require authentication for access to content from secondary servers. When using WebVPN with NAT-T, do not set the NAT-T port to 443. We recommend using port 80 for NAT-T, as firewalls should allow this.
http://www.cisco.com/en/US/docs/security/vpn3000/vpn3000_41/configuration/guide/webvpnap.html
http://www.cisco.com/en/US/docs/security/vpn3000/vpn3000_41/quick/start/gs3mgr.html#wp1302684 -
Are attributes needed for cisco vpn 3005
Hey all,
I am trying to setup radius authentication for my cisco 3005. I am using
BM 3.8sp3 radius. I have it setup (or at least i can us NTradping and
authenticate to it).
I goto 3005 and add radius server as authentication server. When I try to
test it, I get the follow message on the concentrator:
Authentication Rejected: Access hours restrictions in effect
Looking at the debug screen of the radius server, all has succeeded. Is
there a profile that I need to setup and any attributes to assign to get
this to work?
Thanks
MattI found the answer to my last question, you do need xauth for radius
> I think I found it. To test authentication I think it uses the base
group.
> I did have a time restriction on their.
>
> Now for another question: I am testing certificate based authentication
> and it is working (Using a Novell CA). To get radius authentication to
> work in conjunction with that. Do I need to use an SA that uses
> Certificates and XAuth?
>
> Thanks
> Matt
>
> > [email protected] schreef:
> > > I don't have any time restrictions in place. But just in case I set
> som=
> > e=20
> > > up and applied those and I still get the same message.
> > >=20
> > > I applied the access time to both a group and the individual user.
> My=20
> > > question I have is where would those be applied seeing that the
user
> is=
> > =20
> > > being authenticated via an external reference.
> > >=20
> > > Thanks
> > > Matt
> > >=20
> >
> > Matt,
> >
> > Try to test with a user not a group, make sure you don't have any
time=20
> > restrictions on the NDS user and also no Policy Management on your=20
> > concentrator.
> >
> > > I applied the access time to both a group and the individual user.
> > In the vpn concentrator?
> >
> > > My question I have is where would those be applied seeing that
the=20
> > user is
> > > being authenticated via an external reference.
> >
> > Radius authentication uses the NDS (well you can configure this
also=20
> > otherwise as a radius proxy..).
> > When configure the nds user with logon restrictions, I'm pretty
sure=20
> > that you wont be able to acces your network through the concentrator.
> >
> > If you want to restrict the acces to your vpn concentrator than you
have
> =
> >
> > to use the policy base mangement of your vpn concentrator.
> >
> > You can set acces hours to the groups created on the vpn
concentrator,=20
> > and throug radius you can sent attributes that will be used to
indentify
> =
> >
> > which group the user will be put in when the user authenticating to
> the=20
> > vpn concentrator.
> >
> > Hope this makes sense....
> >
> > gl,
> >
> > Louis G=F6hl
> -
Strange issue with 3.6.3 VPN Client and IOS firewall
I'm able to establish a VPN connection from the VPN Client to the e0/0 interface of the IOS FW/VPN router and pass encrypted traffic.
Whenever I initiate a connection to something on the "Internet" from the LAN (e0/1) of the router, a temporary ACL entry is added to ACL 103 as it should be and I'm able to get out on the Internet from the internal LAN; however, I immediately lose my VPN connection from my PC Client when IOS FW adds those temporary "return entries".
Router is running 12.2(13)T.
Anyone else having issues like that? I've looked everywhere on cisco.com and elsewhere but I don't see anyone having a similar issue.
You Cisco gurus have any thoughts?
Thanks,
Jamey
Config below:
jamey#wr t
Building configuration...
Current configuration : 3947 bytes
! Last configuration change at 16:27:03 GMT Wed Jan 22 2003 by jdepp
! NVRAM config last updated at 00:14:38 GMT Wed Jan 22 2003 by jdepp
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
service password-encryption
hostname "jamey"
no logging buffered
no logging console
username XXXX password 7 XXXXX
clock timezone GMT 0
aaa new-model
aaa authentication login tac local
aaa session-id common
ip subnet-zero
no ip domain lookup
ip inspect name myfw ftp
ip inspect name myfw realaudio
ip inspect name myfw smtp
ip inspect name myfw streamworks
ip inspect name myfw vdolive
ip inspect name myfw tftp
ip inspect name myfw rcmd
ip inspect name myfw tcp
ip inspect name myfw udp
ip inspect name firewall http java-list 3
ip audit notify log
ip audit po max-events 100
crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp nat keepalive 20
crypto isakmp client configuration group XXXX
key XXXXXXX
dns x.x.x.x
domain xxx.com
pool ipsec-pool
acl 191
crypto ipsec security-association lifetime kilobytes 536870911
crypto ipsec security-association lifetime seconds 86400
crypto ipsec transform-set foxset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10
set transform-set foxset
crypto map clientmap client authentication list tac
crypto map clientmap isakmp authorization list XXXXX
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
interface Loopback10
description just for test purposes
ip address 172.16.45.1 255.255.255.0
interface Ethernet0/0
description "Internet"
ip address x.x.x.x 255.255.255.224
ip access-group 103 in
ip inspect myfw out
no ip route-cache
no ip mroute-cache
half-duplex
crypto map clientmap
interface Ethernet0/1
description "LAN"
ip address 192.168.45.89 255.255.255.0
no ip route-cache
no ip mroute-cache
half-duplex
ip local pool ipsec-pool 192.168.100.1 192.168.100.254
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet0/0
no logging trap
access-list 3 permit any
access-list 103 permit ip 192.168.100.0 0.0.0.255 any log
access-list 103 permit icmp any any log
access-list 103 permit udp any eq isakmp any log
access-list 103 permit esp any any log
access-list 103 permit ahp any any log
access-list 103 permit udp any any eq non500-isakmp log
access-list 103 permit tcp any any eq 1723 log
access-list 103 permit udp any any eq 1723 log
access-list 103 deny tcp any any log
access-list 103 deny udp any any log
access-list 191 permit ip 192.168.45.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 191 permit ip 172.16.45.0 0.0.0.255 192.168.100.0 0.0.0.255
radius-server authorization permit missing Service-Type
call rsvp-sync
line con 0
line aux 0
line vty 0 4
exec-timeout 0 0
password XXXXXX
line vty 5 15
end
Some debugging info:
At this point, my VPN PC is successfully connected to the e0/0 VPN router and assigned IP of 192.168.100.2. It is running constant pings to 192.168.45.67 and 172.16.45.1 (172.16.45.1 is a loopback on the router for testing), 192.168.45.67 is a host on the internal network.
.Jan 22 01:27:38.284: ICMP type=8, code=0
.Jan 22 01:27:38.288: IP: s=192.168.45.67 (Ethernet0/1), d=192.168.100.2 (Ethern
et0/0), g=192.168.100.2, len 60, forward
.Jan 22 01:27:38.288: ICMP type=0, code=0
.Jan 22 01:27:38.637: IP: s=192.168.45.145 (Ethernet0/0), d=255.255.255.255, len
40, access denied
.Jan 22 01:27:38.637: UDP src=2301, dst=2301
.Jan 22 01:27:38.641: IP: s=192.168.45.145 (Ethernet0/1), d=255.255.255.255, len
40, rcvd 2
.Jan 22 01:27:38.641: UDP src=2301, dst=2301
.Jan 22 01:27:38.761: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
et0/0), len 112, rcvd 3, proto=50
.Jan 22 01:27:38.765: IP: s=192.168.100.2 (Ethernet0/0), d=172.16.45.1, len 60,
rcvd 4
.Jan 22 01:27:38.765: ICMP type=8, code=0
.Jan 22 01:27:38.765: IP: s=172.16.45.1 (local), d=192.168.100.2 (Ethernet0/0),
len 60, sending
.Jan 22 01:27:38.765: ICMP type=0, code=0
.Jan 22 01:27:39.282: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
et0/0), len 112, rcvd 3, proto=50
.Jan 22 01:27:39.286: IP: s=192.168.100.2 (Ethernet0/0), d=192.168.45.67 (Ethern
et0/1), g=192.168.45.67, len 60, forward
.Jan 22 01:27:39.286: ICMP type=8, code=0
.Jan 22 01:27:39.286: IP: s=192.168.45.67 (Ethernet0/1), d=192.168.100.2 (Ethern
et0/0), g=192.168.100.2, len 60, forward
.Jan 22 01:27:39.290: ICMP type=0, code=0
.Jan 22 01:27:39.763: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
et0/0), len 112, rcvd 3, proto=50
.Jan 22 01:27:39.767: IP: s=192.168.100.2 (Ethernet0/0), d=172.16.45.1, len 60,
rcvd 4
.Jan 22 01:27:39.767: ICMP type=8, code=0
.Jan 22 01:27:39.767: IP: s=172.16.45.1 (local), d=192.168.100.2 (Ethernet0/0),
len 60, sending
.Jan 22 01:27:39.767: ICMP type=0, code=0
.Jan 22 01:27:40.283: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
et0/0), len 112, rcvd 3, proto=50
.Jan 22 01:27:40.287: IP: s=192.168.100.2 (Ethernet0/0), d=192.168.45.67 (Ethern
et0/1), g=192.168.45.67, len 60, forward
.Jan 22 01:27:40.287: ICMP type=8, code=0
.Jan 22 01:27:40.287: IP: s=192.168.45.67 (Ethernet0/1), d=192.168.100.2 (Ethern
et0/0), g=192.168.100.2, len 60, forward
.Jan 22 01:27:40.291: ICMP type=0, code=0
.Jan 22 01:27:40.596 GMT: %SEC-6-IPACCESSLOGNP: list 103 permitted 50 216.16.193
.52 -> <VPN ROUTER E0/0 INTERFACE>, 222 packets
.Jan 22 01:27:40.596 GMT: %SEC-6-IPACCESSLOGP: list 103 permitted udp 216.16.193
.52(500) -> <VPN ROUTER E0/0 INTERFACE>(500), 16 packets
here is where I initiate a telnet connection to a host 2.2.2.2 (a dummy host on the "Internet")
from a host on the internal side (LAN) (192.168.45.1)
.Jan 22 01:27:40.600: IP: s=192.168.45.1 (Ethernet0/1), d=2.2.2.2 (Ethernet0/0),
g=2.2.2.2, len 44, forward
.Jan 22 01:27:40.600: TCP src=38471, dst=23, seq=953962328, ack=0, win=4128
SYN
.Jan 22 01:27:40.764: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
et0/0), len 112, rcvd 3, proto=50
here is where by VPN connection breaks
.Jan 22 01:27:40.768: IPSEC(epa_des_crypt): decrypted packet failed SA identity
check
.Jan 22 01:27:41.285: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
et0/0), len 112, rcvd 3, proto=50
.Jan 22 01:27:41.285: IPSEC(epa_des_crypt): decrypted packet failed SA identity
check
.Jan 22 01:27:45.773: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
et0/0), len 112, rcvd 3, proto=50
.Jan 22 01:27:45.777: IPSEC(epa_des_crypt): decrypted packet failed SA identity
check
.Jan 22 01:27:46.774: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
et0/0), len 112, rcvd 3, proto=50
.Jan 22 01:27:46.774: IPSEC(epa_des_crypt): decrypted packet failed SA identity
checkOk..I found the bug ID for this:
CSCdz46552
the workaround says to configure an ACL on the dynamic ACL.
I don't understand what that means.
I found this link:
http://www.cisco.com/en/US/products/sw/secursw/ps2138/products_maintenance_guide_chapter09186a008007da4d.html#96393
and they talk about it, but I'm having a hard time decoding what this means:
"To specify an extended access list for a crypto map entry, enter the match address crypto map configuration command. This access list determines which traffic should be protected by IPSec and which traffic should not be protected by IPSec. If this is configured, the data flow identity proposed by the IPSec peer must fall within a permit statement for this crypto access list. If this is not configured, the router will accept any data flow identity proposed by the IPSec peer. However, if this is configured but the specified access list does not exist or is empty, the router will drop all packets." -
hi,
I'm trying to setup a VPN solution, connecting to a 800 series router and authenticating off a Cisco ACS tacacs server.
I've basically followed the suggested config at http://www.cisco.com/en/US/customer/tech/tk59/technologies_configuration_example09186a00800a393b.shtml and the setup works fine if I use local authentication, but as soon as I switch to using TACACS the client authentication fails.
Debugging tacacs on the router i can see the requests being sent to the server, and the replies coming back - the login detail are definitely correct so I'm guessing that TACACS isn't authorising me to use VPN or IPSEC or something. But there is nothing in the ACS logs to suggest why I'm not getting through - no failed attempts are shown.
Any ideas?here is some debug from the router:
Feb 24 12:28:58.973 UTC: TPLUS: processing authentication start request id 129
Feb 24 12:28:58.973 UTC: TPLUS: Authentication start packet created for 129(vpngroup)
Feb 24 12:28:58.973 UTC: TPLUS: Using server 10.10.10.10
Feb 24 12:28:58.973 UTC: TPLUS(00000081)/0/NB_WAIT/823A9F04: Started 5 sec timeout
Feb 24 12:28:58.989 UTC: TPLUS(00000081)/0/NB_WAIT: socket event 2
Feb 24 12:28:58.989 UTC: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
Feb 24 12:28:58.989 UTC: T+: session_id 1729330768 (0x67137E50), dlen 16 (0x10)
Feb 24 12:28:58.989 UTC: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii
Feb 24 12:28:58.989 UTC: T+: svc:LOGIN user_len:8 port_len:0 (0x0) raddr_len:0 (0x0) data_len:0
Feb 24 12:28:58.989 UTC: T+: user: vpntest
Feb 24 12:28:58.989 UTC: T+: port:
Feb 24 12:28:58.989 UTC: T+: rem_addr:
Feb 24 12:28:58.989 UTC: T+: data:
Feb 24 12:28:58.989 UTC: T+: End Packet
Feb 24 12:28:58.989 UTC: TPLUS(00000081)/0/NB_WAIT: wrote entire 28 bytes request
Feb 24 12:28:58.993 UTC: TPLUS(00000081)/0/READ: socket event 1
Feb 24 12:28:58.993 UTC: TPLUS(00000081)/0/READ: Would block while reading
Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: socket event 1
Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: read entire 12 header bytes (expect 16 bytes data)
Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: socket event 1
Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: read entire 28 bytes response
Feb 24 12:28:59.009 UTC: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
Feb 24 12:28:59.009 UTC: T+: session_id 1729330768 (0x67137E50), dlen 16 (0x10)
Feb 24 12:28:59.009 UTC: T+: AUTHEN/REPLY status:5 flags:0x1 msg_len:10, data_len:0
Feb 24 12:28:59.009 UTC: T+: msg: Password:
Feb 24 12:28:59.009 UTC: T+: data:
Feb 24 12:28:59.009 UTC: T+: End Packet
s9990-cr#
Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/823A9F04: Processing the reply packet
Feb 24 12:28:59.009 UTC: TPLUS: Received authen response status GET_PASSWORD (8)
"AUTHEN/REPLY status:5" is a permanent fail according to the TACACS RFC
In the VPN Client log it say "User does not provide any authentication data"
So to summarise:
-Same ACS server\router\username combination works fine for telnet access.
-VPN works fine with local authentication.
-No login failures showing in the ACS logs. -
VPN between ASA5505 Easy VPN Server and 881G Router as Easy VPN Client
Hello,
I have problem in VPN between ASA5505 Easy VPN Server and 881G Router as Easy VPN Client. ASA 5505 have 7.2.3 software and 881G router have 15.1 software.
881G is configured as hardware client in network exstention mode, and it is placed behind NAT. ASA5505 is working as server. Same VPN Group works correctly from VPN software clients.
When I send traffic from 881G client side, in show cryto sessin detail I see encrypted packets. But with same command I dont see decrypted packet on ASA5505 side. On both devices Phase 1 and Phase 2 are UP.
VPN is working when I replace ASA5505 with ASA5510 correctly with have 8.4.6 software. But problem is that i need to do this VPN between ASA5505 and 881G.
Can you help me, how can I debug or troubleshoot this problem ?
I am unable to update software on ASA5505 side.Hello,
Hire is what my config look like:
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set pfs
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 120 set pfs
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 140 set pfs
crypto dynamic-map outside_dyn_map 140 set transform-set ESP-AES-128-SHA
crypto dynamic-map outside_dyn_map 160 set pfs
crypto dynamic-map outside_dyn_map 160 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 180 set pfs
crypto dynamic-map outside_dyn_map 180 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 200 set pfs
crypto dynamic-map outside_dyn_map 200 set transform-set ESP-AES-256-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 2
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto isakmp policy 3
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
tunnel-group HW-CLIENT-GROUPR type ipsec-ra
tunnel-group HW-CLIENT-GROUP general-attributes
address-pool HW-CLIENT-GROUP-POOL
default-group-policy HW-CLIENT-GROUP
tunnel-group HW-CLIENT-GROUP ipsec-attributes
pre-shared-key *******
group-policy HW-CLIENT-GROUP internal
group-policy HW-CLIENT-GROUP attributes
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value cisco_splitTunnelAcl
nem enable -
Integration between WLC 5508 and Microsoft NPS 2008
Hi guys,
Any of you, have working guidance for WLC 5508 and Microsoft NPS 2008 integration?
I managed to configure Wireless 802.1x feature (PEAP) but it failed. I'm running software ver. 7.0.116.0.
Is there any bug related 802.1x on this software version?
thanks in advance.
BR
shendyHi Shendy,
I am not aware about any bug related to this. I think you better check all configuration and make sure it is fine.
Logs from NPS and WLC (and possibly from the supplicant) may guide you where the problem resides.
What does the NPS logs tell about the reason of the authentication failure?
What does the WLC logs say about the failure (check show msglog and show traplog).
- Make sure the Radius server added correctly with correct IP and correct shared secret on WLC.
- Make sure that the radius is configured correctly to allow PEAP-MSCHAPv2.
- Make sure WLC is added successfully to WLC with correct IP address and correct shared secret.
- Make sure the clients are correctly configured and the server's (NPS) certificate is trusted on the clients.
HTH
Amjad -
IPad 802.1x and Microsoft RADIUS
Is anyone running iPad 2's in the enterprise using Microsoft RADIUS server? Now I understand that you can't use device certs because iPads cannot be joined to the domain, but I can use user certs. Now I read that iOS support PKCS#1 and #12, but I do not have this option on my CA for a cert request? Can someone share some tips on how they deployed these devices on the enterprise network? I could really use some help here. Thanks.
> [email protected] wrote:
>
> > You can do 802.1x authentication in Windows XP and 2000 with service
pack
> > 3 or above withou the Odyssey client. You can see this when you right
> > click on your network card, choos properties and you should see an
> > authentication tab if you have XP or 2000 with the right service
pack.
> > This is built into Windows and will use the users login name and
password
> > for authentication.
>
> Yes, I'm quite aware of that. I just didn't understand what you meant
by
> "override" in this context. The bottom line is that yes, you can use
OK. As long as I can use the Novell Client and Windows for
authentication. The testing that we are doing is using Direct XML on the
Novell Server and Remote Loader on an AD server with IAS. The user names
and groups are synchronized to AD. THe authentication with then happend
at the AD server with IAS.
> the Windows client to authenticate against 802.1x compliant RADIUS
> servers, and NO, Novell's is not 802.1x compliant, and never will be.
> It's *possible* (but not confirmed) that Novell may be providing
> detailed and supported steps to get freeRADIUS working for such tasks,
> though. That's all I can tell you as that's all I know.
>
> --
> Jim
> NSC SYsop -
VPN 3005 with 3002 Hardware Client
I have a VPN3002 Hardware Client (172.16.1.x) that is accessing a VPN3005 Concentrator (192.168.x.x) in Network Extension Mode. On the VPN3005, I have a LAN-to-LAN connection to another VPN device. I can access addresses in all scenarios except for from devices behind the Hardware Client through the LAN-to-LAN tunnel. In other words, addresses behind the Hardware Client (172.16.1.x) cannot access addresses through the LAN-to-LAN.
Devices on the network behind the Concentrator (192.168.x.x) CAN access addresses through the LAN-to-LAN and there is bi-directional communication between the network behind the 3005 and behind the 3002 client.
Can anyone help? Thank you.The 3000 is only going to send traffic over the L2L tunnel that is sourced from the Local Network and going to the Remote Network. Trafic from behind the 3002 is NOT going to match this based on the fact you're NAT'ing all the locla traffic to some other address.
I presume you have done this NAT'ing on some device before the 3000, in wihch case there's no way to get the 3002 traffic to also be NAT'd since it is going to come in and go straight back out the Public interface of the 3000.
You will have to add another line to your Local Network list that defines the traffic behind the 3002. Similarly, the remote end is going to have to add this same network to their Remote network list. Unless you do that, or find some way to NAT the 3002 traffic to the same address, the 3005 is NOT going to send it over the tunnel because you haven't told it to. -
Errors while applying Thawte SSL cert to VPN 3005?
I have recently requested a 128-bit SSL cert from Thawte for my VPN 3005, yet I continue to get "Parse Error" notifications when I try to install the cert. Has anyone been able to successfully apply a Thawte SSL cert to thei VPN 3005? The unit is running the very latest version of the Cisco 3000 VPN software.
Hi,
If the patch was applied succesfully and listed in ad_bugs then u can ignore these warnings and proceed to apply the patch u listed above.
Getting warning messages when starting adadmin - generate JAR Files [ID 312594.1]
Regards -
Group matching from Ace SecureID-server to VPN 3005?
Hi
Is it possible to do group-matching between a Ace Server SecureID and VPN 3005 concentrator?
That is, I want different users to match different group settings in the VPN 3005, based on which group they are in in the Ace Server.
If Yes: how? :-)
Regards
JimmyHello!
Well yes it would work. BUT...you have to change your config a bit. First you need to apply your accesslist to both interfaces, or the ACE will reject it, because it is acting as a firewall by default. And second you have to apply the policymap to both interfaces as well or you put the policymap globally on the ACE. -
Allow join domain and user AD authentication through WatchGuard UTM
The question you have, suggests me, that you are not using WSM to manage your firewall?
You should use the traffic monitor in the Firebox system Manager, zhat is part of the WSM install and watch the traffic between your DC and a test computer. Therefor you can set a filter in the traffic monitor, so you will be shown only the traffic of your test computer. If some kind of traffic is blocked from or to your test computer, it will be shown as a red line. If you analyze this line, you will see exactly what port it was, that was denied.
In general tho I think, that all you need is to appoint your clients the use of a DNS server, that is 'AD aware' (has the needed A records you need for AD) and a SMB rule, that will allow SMB traffic to you MS subnet.hi all,
I am configuring new WatchGuard UTM to have 3 different VLANs, for server, staff and students. My target is to allow computers from staff and students to connect DCs on server VLAN and join domain; and staff/student to logon successfully.
I found the link below and successfully configured to allow DC replication.
https://support.microsoft.com/en-us/kb/832017
However for computer to join domain and user AD authentication, I could not come up with a list of ports to open on WatchGuard.
Any suggestions on this would be much appreciated.
Peter
This topic first appeared in the Spiceworks Community -
Mail and Microsoft exchange server problems
My company is moving to Microsoft exchange servers now, and for some reason, Mail cannot work.
There are several settings that are possible to set in Thunderbird, but that are not even options in Mail. These are settings such as "TLS".
Is there any way to make the same settings in mail that are possible in Thunderbird?Hi Budgie
I can confirm that provided your administrator configures the Exchange server for IMAP (Mail uses IMAP to connect) that yes, Mail can be used effectively with Exchange and messages will remain on the server; though the set up can be misleading.
For me at least, when you get to Outgoing Server Settings, the set-up panel does not allow you to enter an authentication type, and entering my user name and password will get the following response:
The SMTP server “xxxxx.xxxxxxxxxxxxxxxxxxx.com:username” is not responding. Check your network connection and that you entered the correct information in the “Outgoing Mail Server” field. If it still doesn’t respond, the server might be temporarily unavailable.
If you continue, you may not be able to send any mail.
When I click continue, the authentication panel comes up, and by changing authentication to NTLM and entering the Domain name - everything works perfectly!
The only other nuisance is that Mail looks at the Exchange Calendar and Personal Folders/Contacts folders as mail folders, but cannot display the contents in the way Outlook or Entourage does, and I have not found a way of eliminating them from the folder list.
I hope this helps. -
Issue with Verizon Aircards passing traffic past VPN 3005
We have a Cisco VPN 3005 as our endpoint. Clients connection using the Cisco 4.7 client. Currently here is the basic config on the device:
Pub Interface 65.xxx.xxx.xxx
Private Interface 172.22.0.3/16
VPN Addy Pool 172.31.1.0/28
Static routing is used to route traffic as necessary.
Clients can connect via wireless broadband or broadband and ping past the VPN Private interface and open up Outlook using an online exhcange profile. But clients connecting over an EVDO or 3G cellular modem cannot open Outlook. They can ping by IP but not DNS.
I have tried using different transports ie , IPSEC/UDP , IPSEC/TCP , and straight IPSEC. No joy. All the clients have allow local LAN access checked and the VPN Group is set to tunnel traffic in that network only. Any clues??Issue has been resolved. Clearing DNS with an ipconfig /flushdns , ipconfig /registerdns while on aircards on VPN resolved it.
Maybe you are looking for
-
ever since I downloaded the newest version of Firefox, my Dragon NaturallySpeaking hasn't been working very well. For example, I will say "click register" or "click contact us" to select links and buttons on websites. Before this worked fine, but now
-
GETTING ROW COUNTS OF ALL TABLES AT A TIME
Is there any column in any Data dictionary table which gives the row counts for particular table.. My scenario is...i need to get row counts of some 100 tables in our database... instead of doing select count(*) for each table....is there any way i c
-
Hi all ... Newbie question here ... I'll cut to the chase. How can I get LE to recognize my keyboard? It has a built in audio interface and I've connected it via fire-wire. Any help would be appreciated ... I have no sound. I've signed up for Pro-car
-
Can't i use xml schema and oledb data connection at the same time?
Hello to all and thanks in advance.I use xml schema and oledb data connection at the same time and the problem is that when I try to export the xml, the outcome is not what i expect.Without the oledb connection everything is ok (just the schema) and
-
Iphoto 4.0.3 Crashing
Hi, Everytime i try to import new photos iphoto crashes, It was fine but now i cant import anything, It doesn't crash when i just view photos, Does anybody know how i can fix this? Thank You in advance