Steve; You could setup a new account through AD or blow her existing account away and see if that doesn't clear the stick from the mud. Just attacking this as logically as I can, here. Since I do not know of a utility to check for problems with Kerberos/AD... Though it seems like there should be something out there to do just that.
Bueller? Brent Eads Employee Technology Solutions, Inc. Office: (312) 762-9224 Fax: (312) 762-9275 The contents contain privileged and/or confidential information intended for the named recipient of this email. ETSI (Employee Technology Solutions, Inc.) does not warrant that the contents of any electronically transmitted information will remain confidential. If the reader of this email is not the intended recipient you are hereby notified that any use, reproduction, disclosure or distribution of the information contained in the email in error, please reply to us immediately and delete the document. Viruses, Malware, Phishing and other known and unknown electronic threats: It is the recipient/client's duties to perform virus scans and otherwise test the information provided before loading onto any computer system. No warranty is made that this material is free from computer virus or any other defect. Any loss/damage incurred by using this material is not the sender's responsibility. Liability will be limited to resupplying the material. "Steve Egan \(Temp\)" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 01/19/2007 05:06 PM Please respond to ActiveDir@mail.activedir.org To <ActiveDir@mail.activedir.org> cc Subject RE: [ActiveDir] Cisco VPN user authentication problem Did that. It was the first thing I looked at, having had experience with RADIUS before. I created a user on the 3000, and it worked fine. BTW, we use the Kerberos/Active Directory authentication. But you knew that… Steve Egan (temp) Systems/Network Engineer From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, January 19, 2007 3:00 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Cisco VPN user authentication problem Steve; Just for kicks. Could you create a local account for testing? This would bypass any RADIUS/TAC+ problems and confirm the VPN client isn't at fault. Also, Cisco released a new client about a week ago. Don't ask, my laptop is stored for the weekend. Something like 4.88888888881720344-1 or some such. Anyhow, it sounds like a RADIUS problem within the server but check with a local account on the 3000 just to eliminate what should be obvious. Brent Eads Employee Technology Solutions, Inc. Office: (312) 762-9224 Fax: (312) 762-9275 The contents contain privileged and/or confidential information intended for the named recipient of this email. ETSI (Employee Technology Solutions, Inc.) does not warrant that the contents of any electronically transmitted information will remain confidential. If the reader of this email is not the intended recipient you are hereby notified that any use, reproduction, disclosure or distribution of the information contained in the email in error, please reply to us immediately and delete the document. Viruses, Malware, Phishing and other known and unknown electronic threats: It is the recipient/client's duties to perform virus scans and otherwise test the information provided before loading onto any computer system. No warranty is made that this material is free from computer virus or any other defect. Any loss/damage incurred by using this material is not the sender's responsibility. Liability will be limited to resupplying the material. "Steve Egan \(Temp\)" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 01/19/2007 04:39 PM Please respond to ActiveDir@mail.activedir.org To <ActiveDir@mail.activedir.org> cc Subject [ActiveDir] Cisco VPN user authentication problem Greetings, Brain Trust: I’ve been troubleshooting a VPN access problem for about two days now and have almost scratched a groove in my head – this one’s a puzzler. My boss has an IBM Lenovo T60 laptop that has the Cisco VPN client software loaded into it. It was working just fine up until the third week of December, allowing her to use Dialup to get into our HQ domain from her house. When the logins failed, I thought it was due to crappy dialup connection, since noise in the link will cause the VPN tunnel to go down. However, I just got her link at her house to go on wireless, and it works just spiffy (11M up/down), and she still can’t log on to the domain with the VPN software. The connection works just fine, she can browse with no problem. OWA works just fine. Here’s some of the troubleshooting I’ve done: 1) reloaded the VPN software. 2) Tried to have her log on from another machine. 3) Changed the Group authentication (made a new one) just for her. Nothing seems to work. She logs in to the domain normally from her desk at work using either the wireless in the laptop, or via the Ethernet connection. Anybody else can use her laptop to get in via the VPN, so it’s not the drivers or hardware. Her problem is replicated from ANYBODY’s laptop utilizing the VPN software. It’s got to be her account, which is why I think it’s something screwed up in AD. When I monitor her attempts to log into the VPN concentrator (a Cisco 3000), sometimes it says the IKE isn’t working, sometimes it says there’s no domain (“domain = {not specified}”), sometimes it never talks to the 3000 at all (according to the log and the way it comes right back with the username/password request). Want to get even more confused? This problem started when she attempted to change her password back to what it was – she went through the AD administration on the primary AD box and got some kind of error. Ever since then, things just ain’t the same. I think something got scrambled in her account. We tried disabling her account for 5 minutes and then re-enabling, but nothing’s worked. Where should I look to see if something’s amiss? I’m kinda stumped. Steve Egan Systems/Network Engineer Message scanned by TrendMicro Message scanned by TrendMicro Message scanned by TrendMicro Message scanned by TrendMicro
