This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

RADIUS authentication problem

I have some problem with IAS RADIUS server authenticating VPN L2TP connections.
I have configured everything (IAS) according to ASL manual. IAS returns such a event:

User DOMAIN\testuser was denied access.
Fully-Qualified-User-Name = DOMAIN\testuser
NAS-IP-Address = 192.168.100.100
NAS-Identifier =
Called-Station-Identifier =
Calling-Station-Identifier = xxxxxxxxx
Client-Friendly-Name = Astaro
Client-IP-Address = 192.168.10.1
NAS-Port-Type = Async
NAS-Port = 11
Policy-Name =
Authentication-Type = MD5-CHAP
EAP-Type =
Reason-Code = 16
Reason = There was an authentication failure because of an unknown user name
or a bad password.

IAS is on the same server as AD, I tried with all auth protocols (on IAS) and it seems password is wrong handled. If I put some non existing user I got "No user" error, not the one above, so I suppose there is some problem with passing password to IAS by Astaro.

Any clues?

This thread was automatically locked due to age.

Parents

0 Sikarius over 21 years ago

I have the same problem !!!!!!!!

But my user isnt in DOMAIN\user is in DOMAIN\Management\User...... but the advise is DOMAIN\User

Anyone has the same problem?
Cancel
Vote Up 0 Vote Down

Cancel
0 Jykke over 21 years ago in reply to Sikarius

This could be misconfigured radius user authentication or user rights. Location of the userobject in AD is not relevant. you just need to "enable" VPN at users you want to use it. Ill include all nessesary screenshots what i have in my radius/ ad in included word document. ( much faster and more errorfree than my typing =)).

- Jykke

45726-radius.zip
Cancel
Vote Up 0 Vote Down

Cancel
0 cin over 21 years ago in reply to Jykke

The most important question is if you have Windows 2000 and what mode is AD running...
I have checked my ASL with some test Windows 2003 Server and it works (both PPTP and L2TP). But with the SAME configuration of IAS/AD in 2000 I cannot get L2TP with MD5-CHAP aith working...PPTP with MS-CHAP V2 works fine.
Cancel
Vote Up 0 Vote Down

Cancel
0 Jykke over 21 years ago in reply to cin

Checked the case. Got same result in windows 2000 IAS. in windows 2003 enviroment it works flavlesly.

Gotta do some research on this.

-Jykke
Cancel
Vote Up 0 Vote Down

Cancel
0 cin over 21 years ago in reply to Jykke

I have tested this case with Windows 2003 and it works.
With 2000 - password is always wrong for IAS.
I found something about this:

http://groups.google.pl/groups?q=re+IAS+MD5+CHAP+16+bytes&hl=pl&lr=&ie=UTF-8&selm=3e442b24%241%40news.microsoft.com&rnum=1

Maybe this is the issue?
Cancel
Vote Up 0 Vote Down

Cancel
0 Sikarius over 21 years ago in reply to cin

Someone has try the 2003 version on windows 2000 machine?. Can i upgrade my IAS 2000 to IAS 2003 in a DC with windows 2000 without upgrade the DC?

or exist any patch to permit IAS works with variable lenght in MD5-CHAP challenge?

Thanks a lot
Cancel
Vote Up 0 Vote Down

Cancel
0 cin over 21 years ago in reply to Sikarius

I tried changing IAS 2000 files to IAS 2003 (system32/ias*) but as I supposed it didn't work. Nor there are any updates for IAS 2000 to support ASL MD5-CHAP passwords, as I know. The only way is to make some workaround in ASL.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 cin over 21 years ago in reply to Sikarius

I tried changing IAS 2000 files to IAS 2003 (system32/ias*) but as I supposed it didn't work. Nor there are any updates for IAS 2000 to support ASL MD5-CHAP passwords, as I know. The only way is to make some workaround in ASL.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Sikarius over 21 years ago in reply to cin

Hi!

Someone has tried to install the IAS 2003?. Not just copy the files..........
Cancel
Vote Up 0 Vote Down

Cancel
0 cin over 21 years ago in reply to Sikarius

How can you install IAS 2003 on WIndows 2000?
Both in Windows 2000/2003 when you choose add IAS in Windows Add/Remove Windows component you DON'T need to put Windows CD. IAS files are installed always during system installation. Adding/Removing IAS just turn on/off this service, I suppose. If someone know the way to install IAS 2003 on Windows 2000 it would be great.

Or Astaro should support IAS 2000. We need some workaround - now we use PPTP VPN but we prefer to use L2TP VPN as more secure. And it SHOULD authenticate in our domain, so local login is not a solution for us.
Cancel
Vote Up 0 Vote Down

Cancel
0 Stephan_Scholz over 21 years ago in reply to cin

Hi cin,

ASL is going to support other L2TP authentication types, including MSCHAPv2, in an upcoming Up2Date. This should solve the issues with IAS 2000. I can't tell you an exact date for the Up2Date, but it's high on our priority list. Keep an eye on announcements :-)

Regards,
Stephan
Cancel
Vote Up 0 Vote Down

Cancel
0 cin over 21 years ago in reply to Stephan_Scholz

Thanks for this good information.
Cancel
Vote Up 0 Vote Down

Cancel
0 Stephan_Scholz over 21 years ago in reply to cin

As announced, Up2Date 5.017 is out. 5.017 adds support for other L2TP authentication algorithms, namely MSCHAPv2, MSCHAP, PAP and CHAP. I recommend using MSCHAPv2 for Microsoft IAS. This is also the default algorithm negotiated by the native Windows IPSec client.
Note that when using Sentinel, you are still restricted to CHAP, because Sentinel does not support any other authentication algorithm.

Regards,
Stephan
Cancel
Vote Up 0 Vote Down

Cancel