Steve-
I don't understand your problem. Is this an IAS issue with AD authentication? Is this a PIX config issue? Is this just a screwed up laptop issue? I'm lost. I wrote a couple articles on my blog (click the cisco category in the tag cloud) specifically about integrating IOS and PIX with IAS/AD. Have set it up for several people and it works fine. IAS logs an event with a reason for failed auth every time it fails an auth in the system log. You can enable aaa debugging on the PIX for info there. Now I just read you have a VPN 3000 - never touched one - maybe it has AAA debugging type stuff? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Egan (Temp) Sent: Friday, January 19, 2007 5:39 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Cisco VPN user authentication problem Greetings, Brain Trust: I've been troubleshooting a VPN access problem for about two days now and have almost scratched a groove in my head - this one's a puzzler. My boss has an IBM Lenovo T60 laptop that has the Cisco VPN client software loaded into it. It was working just fine up until the third week of December, allowing her to use Dialup to get into our HQ domain from her house. When the logins failed, I thought it was due to crappy dialup connection, since noise in the link will cause the VPN tunnel to go down. However, I just got her link at her house to go on wireless, and it works just spiffy (11M up/down), and she still can't log on to the domain with the VPN software. The connection works just fine, she can browse with no problem. OWA works just fine. Here's some of the troubleshooting I've done: 1) reloaded the VPN software. 2) Tried to have her log on from another machine. 3) Changed the Group authentication (made a new one) just for her. Nothing seems to work. She logs in to the domain normally from her desk at work using either the wireless in the laptop, or via the Ethernet connection. Anybody else can use her laptop to get in via the VPN, so it's not the drivers or hardware. Her problem is replicated from ANYBODY's laptop utilizing the VPN software. It's got to be her account, which is why I think it's something screwed up in AD. When I monitor her attempts to log into the VPN concentrator (a Cisco 3000), sometimes it says the IKE isn't working, sometimes it says there's no domain ("domain = {not specified}"), sometimes it never talks to the 3000 at all (according to the log and the way it comes right back with the username/password request). Want to get even more confused? This problem started when she attempted to change her password back to what it was - she went through the AD administration on the primary AD box and got some kind of error. Ever since then, things just ain't the same. I think something got scrambled in her account. We tried disabling her account for 5 minutes and then re-enabling, but nothing's worked. Where should I look to see if something's amiss? I'm kinda stumped. Steve Egan Systems/Network Engineer
