RE: [ActiveDir] Possibly OT: Cisco VPN and AD

[Dave Kinnamon]

Tim,     A few questions …   How are VPN users being authenticated?  Local user database on the VPN Conc. (ughhh!) or remote database?  --- likely AD Users through Cisco’s AAA product “Cisco Secure ACS.”   If they’re all going through ACS to AD, did you setup ACS to use the “Check User Dialin Permissions” option?   If yes, how do you grant dialin permissions?  GPO or explicit Allow or Deny in a users account   Have you observed the failed attempts in ACS?  Does the reason given make any sense or help?  i.e. Bad NAS or bad password   On the VPN concentrator in Configuration | User Management | Base groups or Groups options – have you checked “Allow Alphabetic – Only Passwords”?  I can envision strange problems if the “password options” on the VPN concentrator don’t agree with AD’s complexity requirements.   Also, the statement that “Pre-authentication failed” makes me think that maybe you aren’t even passing Phase 1 authentication.  And in that case you won’t even see a record in ACS – just in the event logs on the VPN Conc.     I hope something here helps …   Dave         From: Wright, T. MR [mailto:[EMAIL PROTECTED] Sent: Thursday, September 04, 2003 11:52 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Possibly OT: Cisco VPN and AD   We have an issue with our VPN concentrator.  It seems that it allows some AD users to authenticate, while others can not.  We can find no pattern to explain why the users that are able to authenticate are allowed to do so and why the users that can't authenticate can not.  An example is that I have two domain admin acct's, one that is a Service acct. and one that belongs to me.  I am able to authenticate using the service acct. but not my own acct.  They are in the same OU, they have permissions to the same groups etc.  The only thing I see in the event logs upon an authentication failure is a generic EventID 675 with Pre-authentication failed, with Failure Code 0x18, which translates to a bad password, but I know this is not the case since I use my admin account to logon to other resources etc.     Our network guys have been in contact with TAC and they don't seem to have a clear answer either.  They feel it it is something in our GPO.  The thing is our GPO settings are not rocket science.  Right now we are basically just enforcing complex passwords etc. and we're not doing much outside of that.  I was hoping that someone might have had these issues before and could provide some insight.   Thanks,   -Tim