RE: [ActiveDir] Cisco VPN user authentication problem
Steve-
I don't understand your problem.
Is this an IAS issue with AD authentication? Is this a PIX config issue?
Is this just a screwed up laptop issue? I'm lost.
I wrote a couple articles on my blog (click the cisco category in the
tag cloud) specifically about integrating IOS and PIX with IAS/AD. Have
set it up for several people and it works fine.
IAS logs an event with a reason for failed auth every time it fails an
auth in the system log. You can enable aaa debugging on the PIX for info
there. Now I just read you have a VPN 3000 - never touched one - maybe
it has AAA debugging type stuff?
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Egan
(Temp)
Sent: Friday, January 19, 2007 5:39 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Cisco VPN user authentication problem
Greetings, Brain Trust:
I've been troubleshooting a VPN access problem for about two days now
and have almost scratched a groove in my head - this one's a puzzler.
My boss has an IBM Lenovo T60 laptop that has the Cisco VPN client
software loaded into it. It was working just fine up until the third
week of December, allowing her to use Dialup to get into our HQ domain
from her house. When the logins failed, I thought it was due to crappy
dialup connection, since noise in the link will cause the VPN tunnel to
go down.
However, I just got her link at her house to go on wireless, and it
works just spiffy (11M up/down), and she still can't log on to the
domain with the VPN software. The connection works just fine, she can
browse with no problem. OWA works just fine.
Here's some of the troubleshooting I've done:
1) reloaded the VPN software.
2) Tried to have her log on from another machine.
3) Changed the Group authentication (made a new one) just for her.
Nothing seems to work. She logs in to the domain normally from her desk
at work using either the wireless in the laptop, or via the Ethernet
connection. Anybody else can use her laptop to get in via the VPN, so
it's not the drivers or hardware. Her problem is replicated from
ANYBODY's laptop utilizing the VPN software. It's got to be her
account, which is why I think it's something screwed up in AD.
When I monitor her attempts to log into the VPN concentrator (a Cisco
3000), sometimes it says the IKE isn't working, sometimes it says
there's no domain ("domain = {not specified}"), sometimes it never talks
to the 3000 at all (according to the log and the way it comes right back
with the username/password request).
Want to get even more confused? This problem started when she attempted
to change her password back to what it was - she went through the AD
administration on the primary AD box and got some kind of error. Ever
since then, things just ain't the same. I think something got scrambled
in her account. We tried disabling her account for 5 minutes and then
re-enabling, but nothing's worked.
Where should I look to see if something's amiss? I'm kinda stumped.
Steve Egan
Systems/Network Engineer
RE: [ActiveDir] Cisco VPN user authentication problem
Al: Her laptop IS her desktop. I don't think that's the problem. Remember what I said about how the problem follows her login even on another machine! Steve Egan Systems/Network Engineer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Garrett Sent: Friday, January 19, 2007 4:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Cisco VPN user authentication problem The password issue reminds me of times when people don't synchronize their logins.I.E. they change their password at their desktop and then their laptop is out of sync with the domain. Try setting the VPN Client to log on to Windows first where she would use her new password and then it will sync the laptop with the domain again. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Egan Sent: Friday, January 19, 2007 4:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Cisco VPN user authentication problem No on that as well - it was working until she tried to change her password back to what it was after a (normal) password change at her laptop. Remember, her login (and ONLY hers) is broken no matter where she log in, from any machine. The problem is client software independent. Steve Egan (temp) Systems/Network Engineer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James Pogran Sent: Friday, January 19, 2007 4:29 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Cisco VPN user authentication problem Have you considered token size? I've had trouble with cisco router firmware that is older dropping udp packet sizes it didn't like with accounts whose token is large. Believe Deji has some good blog posts about it. If that is the case, a router firmware upgrade should help. Is it a win2k or win2k3 domain? James On 1/19/07, Al Garrett <[EMAIL PROTECTED]> wrote: > I just realized my response was misleading. > > > > I deleted and recreated the VPN Connection Profile within the Cisco VPN > ClientNOT the users computer profile under Documents and Settings. > > > > Al > > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Al Garrett > Sent: Friday, January 19, 2007 3:10 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Cisco VPN user authentication problem > > > > I had similar issues and solved them by recreating the Profile on the > laptop. > > Same settings, just created an identical Profile. Almost like the > corruption was in the profile itself. > > > > Al > > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Steve Egan > (Temp) > Sent: Friday, January 19, 2007 3:06 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Cisco VPN user authentication problem > > > > Did that. It was the first thing I looked at, having had experience > with RADIUS before. I created a user on the 3000, and it worked fine. > > > > BTW, we use the Kerberos/Active Directory authentication. But you knew > that... > > > > Steve Egan (temp) > > Systems/Network Engineer > > ________________ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Friday, January 19, 2007 3:00 PM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] Cisco VPN user authentication problem > > > > > Steve; > > Just for kicks. Could you create a local account for testing? This would > bypass any RADIUS/TAC+ problems and confirm the VPN client isn't at > fault. Also, Cisco released a new client about a week ago. Don't ask, my > laptop is stored for the weekend. Something like 4.881720344-1 > or some such. > > Anyhow, it sounds like a RADIUS problem within the server but check with > a local account on the 3000 just to eliminate what should be obvious. > > > > Brent Eads > Employee Technology Solutions, Inc. > > Office: (312) 762-9224 > Fax: (312) 762-9275 > > > The contents contain privileged and/or confidential information intended > for the named recipient of this email. ETSI (Employee Technology > Solutions, Inc.) does not warrant that the contents of any > electronically transmitted information will remain confidential. If the > reader of this email is not the intended recipient you are hereby > notified that any use, reproduction, disclosure or distribution of the > information contained in the email in error, please reply to us > immediately and delete the document. > > Viruses, Malware, Phishing and other known and unknown electronic > threats: It is the recipient/clie
RE: [ActiveDir] Cisco VPN user authentication problem
Jeff:
Yep, thought of that too. Also, her password has been changed and
changed back, disabled, re-enabled, folded, spindled, and mutilated. So
far, nothing. See why I'm getting prematurely grey?? Password is only
7 characters long, BTW. The most it has been is 13 characters.
Steve Egan
Systems/Network Engineer
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jeff Salisbury
Sent: Friday, January 19, 2007 4:35 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Cisco VPN user authentication problem
Steve - Check the Dial-in tab settings on the user's account in AD.
Depending on how your VPN3000 is authenticating, these settings may or
may not be checked. One other possibility - I vaguely remember having an
issue before we had our VPN3000s authenticate against Cisco ACS where
users with passwords longer than 14 characters could not authenticate.
If you shortened the password, it worked fine.
Jeff
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Egan
Sent: Friday, January 19, 2007 4:26 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Cisco VPN user authentication problem
Al:
I knew what you meant, and that was the first thing I did,
thinking the client software got hammered somehow by some other
misbehaved software (or whatever). No change. Like I said, if somebody
else logs in from her machine, it's fine. If she tries to log in from
another machine, it breaks. Gotta be something in AD.
Steve Egan (temp)
Systems/Network Engineer
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Garrett
Sent: Friday, January 19, 2007 4:09 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Cisco VPN user authentication problem
I just realized my response was misleading.
I deleted and recreated the VPN Connection Profile within the
Cisco VPN ClientNOT the users computer profile under Documents and
Settings.
Al
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Garrett
Sent: Friday, January 19, 2007 3:10 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Cisco VPN user authentication problem
I had similar issues and solved them by recreating the Profile
on the laptop.
Same settings, just created an identical Profile. Almost like
the corruption was in the profile itself.
Al
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Egan
(Temp)
Sent: Friday, January 19, 2007 3:06 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Cisco VPN user authentication problem
Did that. It was the first thing I looked at, having had
experience with RADIUS before. I created a user on the 3000, and it
worked fine.
BTW, we use the Kerberos/Active Directory authentication. But
you knew that...
Steve Egan (temp)
Systems/Network Engineer
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Friday, January 19, 2007 3:00 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Cisco VPN user authentication problem
Steve;
Just for kicks. Could you create a local account for testing?
This would bypass any RADIUS/TAC+ problems and confirm the VPN client
isn't at fault. Also, Cisco released a new client about a week ago.
Don't ask, my laptop is stored for the weekend. Something like
4.881720344-1 or some such.
Anyhow, it sounds like a RADIUS problem within the server but
check with a local account on the 3000 just to eliminate what should be
obvious.
Brent Eads
Employee Technology Solutions, Inc.
Office: (312) 762-9224
Fax: (312) 762-9275
The contents contain privileged and/or confidential information
intended for the named recipient of this email. ETSI (Employee
Technology Solutions, Inc.) does not warrant that the contents of any
electronically transmitted information will remain confidential. If the
reader of this email is not the intended recipient you are hereby
notified that any use, reproduction, disclosure or distribution of the
information contained in the email in error, please reply to us
immediately and delete the document.
Viruses, Malware, Phishing and other known and unknown
electronic threats: It is the recipient/c
RE: [ActiveDir] Cisco VPN user authentication problem
The password issue reminds me of times when people don't synchronize their logins.I.E. they change their password at their desktop and then their laptop is out of sync with the domain. Try setting the VPN Client to log on to Windows first where she would use her new password and then it will sync the laptop with the domain again. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Egan Sent: Friday, January 19, 2007 4:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Cisco VPN user authentication problem No on that as well - it was working until she tried to change her password back to what it was after a (normal) password change at her laptop. Remember, her login (and ONLY hers) is broken no matter where she log in, from any machine. The problem is client software independent. Steve Egan (temp) Systems/Network Engineer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James Pogran Sent: Friday, January 19, 2007 4:29 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Cisco VPN user authentication problem Have you considered token size? I've had trouble with cisco router firmware that is older dropping udp packet sizes it didn't like with accounts whose token is large. Believe Deji has some good blog posts about it. If that is the case, a router firmware upgrade should help. Is it a win2k or win2k3 domain? James On 1/19/07, Al Garrett <[EMAIL PROTECTED]> wrote: > I just realized my response was misleading. > > > > I deleted and recreated the VPN Connection Profile within the Cisco VPN > ClientNOT the users computer profile under Documents and Settings. > > > > Al > > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Al Garrett > Sent: Friday, January 19, 2007 3:10 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Cisco VPN user authentication problem > > > > I had similar issues and solved them by recreating the Profile on the > laptop. > > Same settings, just created an identical Profile. Almost like the > corruption was in the profile itself. > > > > Al > > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Steve Egan > (Temp) > Sent: Friday, January 19, 2007 3:06 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Cisco VPN user authentication problem > > > > Did that. It was the first thing I looked at, having had experience > with RADIUS before. I created a user on the 3000, and it worked fine. > > > > BTW, we use the Kerberos/Active Directory authentication. But you knew > that... > > > > Steve Egan (temp) > > Systems/Network Engineer > > ____________ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Friday, January 19, 2007 3:00 PM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] Cisco VPN user authentication problem > > > > > Steve; > > Just for kicks. Could you create a local account for testing? This would > bypass any RADIUS/TAC+ problems and confirm the VPN client isn't at > fault. Also, Cisco released a new client about a week ago. Don't ask, my > laptop is stored for the weekend. Something like 4.881720344-1 > or some such. > > Anyhow, it sounds like a RADIUS problem within the server but check with > a local account on the 3000 just to eliminate what should be obvious. > > > > Brent Eads > Employee Technology Solutions, Inc. > > Office: (312) 762-9224 > Fax: (312) 762-9275 > > > The contents contain privileged and/or confidential information intended > for the named recipient of this email. ETSI (Employee Technology > Solutions, Inc.) does not warrant that the contents of any > electronically transmitted information will remain confidential. If the > reader of this email is not the intended recipient you are hereby > notified that any use, reproduction, disclosure or distribution of the > information contained in the email in error, please reply to us > immediately and delete the document. > > Viruses, Malware, Phishing and other known and unknown electronic > threats: It is the recipient/client's duties to perform virus scans and > otherwise test the information provided before loading onto any computer > system. No warranty is made that this material is free from computer > virus or any other defect. > > Any loss/damage incurred by using this material is not the sender's > responsibility. Liability will be limited to resupplying the material. > > "Steve Egan \(Temp\)" <[EMAIL
RE: [ActiveDir] Cisco VPN user authentication problem
No on that as well - it was working until she tried to change her password back to what it was after a (normal) password change at her laptop. Remember, her login (and ONLY hers) is broken no matter where she log in, from any machine. The problem is client software independent. Steve Egan (temp) Systems/Network Engineer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James Pogran Sent: Friday, January 19, 2007 4:29 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Cisco VPN user authentication problem Have you considered token size? I've had trouble with cisco router firmware that is older dropping udp packet sizes it didn't like with accounts whose token is large. Believe Deji has some good blog posts about it. If that is the case, a router firmware upgrade should help. Is it a win2k or win2k3 domain? James On 1/19/07, Al Garrett <[EMAIL PROTECTED]> wrote: > I just realized my response was misleading. > > > > I deleted and recreated the VPN Connection Profile within the Cisco VPN > ClientNOT the users computer profile under Documents and Settings. > > > > Al > > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Al Garrett > Sent: Friday, January 19, 2007 3:10 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Cisco VPN user authentication problem > > > > I had similar issues and solved them by recreating the Profile on the > laptop. > > Same settings, just created an identical Profile. Almost like the > corruption was in the profile itself. > > > > Al > > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Steve Egan > (Temp) > Sent: Friday, January 19, 2007 3:06 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Cisco VPN user authentication problem > > > > Did that. It was the first thing I looked at, having had experience > with RADIUS before. I created a user on the 3000, and it worked fine. > > > > BTW, we use the Kerberos/Active Directory authentication. But you knew > that... > > > > Steve Egan (temp) > > Systems/Network Engineer > > ________ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Friday, January 19, 2007 3:00 PM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] Cisco VPN user authentication problem > > > > > Steve; > > Just for kicks. Could you create a local account for testing? This would > bypass any RADIUS/TAC+ problems and confirm the VPN client isn't at > fault. Also, Cisco released a new client about a week ago. Don't ask, my > laptop is stored for the weekend. Something like 4.881720344-1 > or some such. > > Anyhow, it sounds like a RADIUS problem within the server but check with > a local account on the 3000 just to eliminate what should be obvious. > > > > Brent Eads > Employee Technology Solutions, Inc. > > Office: (312) 762-9224 > Fax: (312) 762-9275 > > > The contents contain privileged and/or confidential information intended > for the named recipient of this email. ETSI (Employee Technology > Solutions, Inc.) does not warrant that the contents of any > electronically transmitted information will remain confidential. If the > reader of this email is not the intended recipient you are hereby > notified that any use, reproduction, disclosure or distribution of the > information contained in the email in error, please reply to us > immediately and delete the document. > > Viruses, Malware, Phishing and other known and unknown electronic > threats: It is the recipient/client's duties to perform virus scans and > otherwise test the information provided before loading onto any computer > system. No warranty is made that this material is free from computer > virus or any other defect. > > Any loss/damage incurred by using this material is not the sender's > responsibility. Liability will be limited to resupplying the material. > > "Steve Egan \(Temp\)" <[EMAIL PROTECTED]> > Sent by: [EMAIL PROTECTED] > > 01/19/2007 04:39 PM > > Please respond to > ActiveDir@mail.activedir.org > > To > > > > cc > > > > Subject > > [ActiveDir] Cisco VPN user authentication problem > > > > > > > > > > > Greetings, Brain Trust: > > I've been troubleshooting a VPN access problem for about two days now > and have almost scratched a groove in my head - this one's a puzzler. > > My boss has an IBM Lenovo T60 laptop that has the Cisco V
RE: [ActiveDir] Cisco VPN user authentication problem
Steve - Check the Dial-in tab settings on the user's account in AD.
Depending on how your VPN3000 is authenticating, these settings may or
may not be checked. One other possibility - I vaguely remember having an
issue before we had our VPN3000s authenticate against Cisco ACS where
users with passwords longer than 14 characters could not authenticate.
If you shortened the password, it worked fine.
Jeff
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Egan
Sent: Friday, January 19, 2007 4:26 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Cisco VPN user authentication problem
Al:
I knew what you meant, and that was the first thing I did,
thinking the client software got hammered somehow by some other
misbehaved software (or whatever). No change. Like I said, if somebody
else logs in from her machine, it's fine. If she tries to log in from
another machine, it breaks. Gotta be something in AD.
Steve Egan (temp)
Systems/Network Engineer
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Garrett
Sent: Friday, January 19, 2007 4:09 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Cisco VPN user authentication problem
I just realized my response was misleading.
I deleted and recreated the VPN Connection Profile within the
Cisco VPN ClientNOT the users computer profile under Documents and
Settings.
Al
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Garrett
Sent: Friday, January 19, 2007 3:10 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Cisco VPN user authentication problem
I had similar issues and solved them by recreating the Profile
on the laptop.
Same settings, just created an identical Profile. Almost like
the corruption was in the profile itself.
Al
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Egan
(Temp)
Sent: Friday, January 19, 2007 3:06 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Cisco VPN user authentication problem
Did that. It was the first thing I looked at, having had
experience with RADIUS before. I created a user on the 3000, and it
worked fine.
BTW, we use the Kerberos/Active Directory authentication. But
you knew that...
Steve Egan (temp)
Systems/Network Engineer
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Friday, January 19, 2007 3:00 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Cisco VPN user authentication problem
Steve;
Just for kicks. Could you create a local account for testing?
This would bypass any RADIUS/TAC+ problems and confirm the VPN client
isn't at fault. Also, Cisco released a new client about a week ago.
Don't ask, my laptop is stored for the weekend. Something like
4.881720344-1 or some such.
Anyhow, it sounds like a RADIUS problem within the server but
check with a local account on the 3000 just to eliminate what should be
obvious.
Brent Eads
Employee Technology Solutions, Inc.
Office: (312) 762-9224
Fax: (312) 762-9275
The contents contain privileged and/or confidential information
intended for the named recipient of this email. ETSI (Employee
Technology Solutions, Inc.) does not warrant that the contents of any
electronically transmitted information will remain confidential. If the
reader of this email is not the intended recipient you are hereby
notified that any use, reproduction, disclosure or distribution of the
information contained in the email in error, please reply to us
immediately and delete the document.
Viruses, Malware, Phishing and other known and unknown
electronic threats: It is the recipient/client's duties to perform virus
scans and otherwise test the information provided before loading onto
any computer system. No warranty is made that this material is free from
computer virus or any other defect.
Any loss/damage incurred by using this material is not the
sender's responsibility. Liability will be limited to resupplying the
material.
"Steve Egan \(Temp\)" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
01/19/2007 04:39 PM
Please respond to
ActiveDir@mail.activedir.org
To
cc
Subject
[Ac
Re: [ActiveDir] Cisco VPN user authentication problem
Have you considered token size? I've had trouble with cisco router firmware that is older dropping udp packet sizes it didn't like with accounts whose token is large. Believe Deji has some good blog posts about it. If that is the case, a router firmware upgrade should help. Is it a win2k or win2k3 domain? James On 1/19/07, Al Garrett <[EMAIL PROTECTED]> wrote: I just realized my response was misleading. I deleted and recreated the VPN Connection Profile within the Cisco VPN ClientNOT the users computer profile under Documents and Settings. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Garrett Sent: Friday, January 19, 2007 3:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Cisco VPN user authentication problem I had similar issues and solved them by recreating the Profile on the laptop. Same settings, just created an identical Profile. Almost like the corruption was in the profile itself. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Egan (Temp) Sent: Friday, January 19, 2007 3:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Cisco VPN user authentication problem Did that. It was the first thing I looked at, having had experience with RADIUS before. I created a user on the 3000, and it worked fine. BTW, we use the Kerberos/Active Directory authentication. But you knew that... Steve Egan (temp) Systems/Network Engineer From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, January 19, 2007 3:00 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Cisco VPN user authentication problem Steve; Just for kicks. Could you create a local account for testing? This would bypass any RADIUS/TAC+ problems and confirm the VPN client isn't at fault. Also, Cisco released a new client about a week ago. Don't ask, my laptop is stored for the weekend. Something like 4.881720344-1 or some such. Anyhow, it sounds like a RADIUS problem within the server but check with a local account on the 3000 just to eliminate what should be obvious. Brent Eads Employee Technology Solutions, Inc. Office: (312) 762-9224 Fax: (312) 762-9275 The contents contain privileged and/or confidential information intended for the named recipient of this email. ETSI (Employee Technology Solutions, Inc.) does not warrant that the contents of any electronically transmitted information will remain confidential. If the reader of this email is not the intended recipient you are hereby notified that any use, reproduction, disclosure or distribution of the information contained in the email in error, please reply to us immediately and delete the document. Viruses, Malware, Phishing and other known and unknown electronic threats: It is the recipient/client's duties to perform virus scans and otherwise test the information provided before loading onto any computer system. No warranty is made that this material is free from computer virus or any other defect. Any loss/damage incurred by using this material is not the sender's responsibility. Liability will be limited to resupplying the material. "Steve Egan \(Temp\)" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 01/19/2007 04:39 PM Please respond to ActiveDir@mail.activedir.org To cc Subject [ActiveDir] Cisco VPN user authentication problem Greetings, Brain Trust: I've been troubleshooting a VPN access problem for about two days now and have almost scratched a groove in my head - this one's a puzzler. My boss has an IBM Lenovo T60 laptop that has the Cisco VPN client software loaded into it. It was working just fine up until the third week of December, allowing her to use Dialup to get into our HQ domain from her house. When the logins failed, I thought it was due to crappy dialup connection, since noise in the link will cause the VPN tunnel to go down. However, I just got her link at her house to go on wireless, and it works just spiffy (11M up/down), and she still can't log on to the domain with the VPN software. The connection works just fine, she can browse with no problem. OWA works just fine. Here's some of the troubleshooting I've done: 1) reloaded the VPN software. 2) Tried to have her log on from another machine. 3) Changed the Group authentication (made a new one) just for her. Nothing seems to work. She logs in to the domain normally from her desk at work using either the wireless in the laptop, or via the Ethernet connection. Anybody else can use her laptop to get in via the VPN, so it's not the drivers or hardware. Her problem is replicated from ANYBODY's laptop utilizing the VPN software. It's got to be her account, which is why I think it's something screwed up in AD. W
RE: [ActiveDir] Cisco VPN user authentication problem
Al: I knew what you meant, and that was the first thing I did, thinking the client software got hammered somehow by some other misbehaved software (or whatever). No change. Like I said, if somebody else logs in from her machine, it's fine. If she tries to log in from another machine, it breaks. Gotta be something in AD. Steve Egan (temp) Systems/Network Engineer From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Garrett Sent: Friday, January 19, 2007 4:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Cisco VPN user authentication problem I just realized my response was misleading. I deleted and recreated the VPN Connection Profile within the Cisco VPN ClientNOT the users computer profile under Documents and Settings. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Garrett Sent: Friday, January 19, 2007 3:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Cisco VPN user authentication problem I had similar issues and solved them by recreating the Profile on the laptop. Same settings, just created an identical Profile. Almost like the corruption was in the profile itself. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Egan (Temp) Sent: Friday, January 19, 2007 3:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Cisco VPN user authentication problem Did that. It was the first thing I looked at, having had experience with RADIUS before. I created a user on the 3000, and it worked fine. BTW, we use the Kerberos/Active Directory authentication. But you knew that... Steve Egan (temp) Systems/Network Engineer From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, January 19, 2007 3:00 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Cisco VPN user authentication problem Steve; Just for kicks. Could you create a local account for testing? This would bypass any RADIUS/TAC+ problems and confirm the VPN client isn't at fault. Also, Cisco released a new client about a week ago. Don't ask, my laptop is stored for the weekend. Something like 4.881720344-1 or some such. Anyhow, it sounds like a RADIUS problem within the server but check with a local account on the 3000 just to eliminate what should be obvious. Brent Eads Employee Technology Solutions, Inc. Office: (312) 762-9224 Fax: (312) 762-9275 The contents contain privileged and/or confidential information intended for the named recipient of this email. ETSI (Employee Technology Solutions, Inc.) does not warrant that the contents of any electronically transmitted information will remain confidential. If the reader of this email is not the intended recipient you are hereby notified that any use, reproduction, disclosure or distribution of the information contained in the email in error, please reply to us immediately and delete the document. Viruses, Malware, Phishing and other known and unknown electronic threats: It is the recipient/client's duties to perform virus scans and otherwise test the information provided before loading onto any computer system. No warranty is made that this material is free from computer virus or any other defect. Any loss/damage incurred by using this material is not the sender's responsibility. Liability will be limited to resupplying the material. "Steve Egan \(Temp\)" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 01/19/2007 04:39 PM Please respond to ActiveDir@mail.activedir.org To cc Subject [ActiveDir] Cisco VPN user authentication problem Greetings, Brain Trust: I've been troubleshooting a VPN access problem for about two days now and have almost scratched a groove in my head - this one's a puzzler. My boss has an IBM Lenovo T60 laptop that has the Cisco VPN client software loaded into it. It was working just fine up until the third week of December, allowing her to use Dialup to get into our HQ domain from her house. When the logins failed, I thought it was due to crappy dialup connection, since noise in the link will cause the VPN tunnel to go down. However, I just got her link at her house to go on wireless, and it works just spiffy (11M up/down), and she still can't log on to the domain with the VPN software. The connection works just fine, she can browse with no problem. OWA works just fine. Here's some of the troubleshooting I've done: 1) reloaded the VPN software. 2) Tried to have her log on from another machine. 3) Changed the Group authentication (made a new one) just for her. Nothing seems to work. She logs in to the domain normally from her desk at work using either the wireless in the laptop, or via the Ethernet
RE: [ActiveDir] Cisco VPN user authentication problem
I just realized my response was misleading.
I deleted and recreated the VPN Connection Profile within the Cisco VPN
ClientNOT the users computer profile under Documents and Settings.
Al
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Garrett
Sent: Friday, January 19, 2007 3:10 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Cisco VPN user authentication problem
I had similar issues and solved them by recreating the Profile on the
laptop.
Same settings, just created an identical Profile. Almost like the
corruption was in the profile itself.
Al
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Egan
(Temp)
Sent: Friday, January 19, 2007 3:06 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Cisco VPN user authentication problem
Did that. It was the first thing I looked at, having had experience
with RADIUS before. I created a user on the 3000, and it worked fine.
BTW, we use the Kerberos/Active Directory authentication. But you knew
that...
Steve Egan (temp)
Systems/Network Engineer
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Friday, January 19, 2007 3:00 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Cisco VPN user authentication problem
Steve;
Just for kicks. Could you create a local account for testing? This would
bypass any RADIUS/TAC+ problems and confirm the VPN client isn't at
fault. Also, Cisco released a new client about a week ago. Don't ask, my
laptop is stored for the weekend. Something like 4.881720344-1
or some such.
Anyhow, it sounds like a RADIUS problem within the server but check with
a local account on the 3000 just to eliminate what should be obvious.
Brent Eads
Employee Technology Solutions, Inc.
Office: (312) 762-9224
Fax: (312) 762-9275
The contents contain privileged and/or confidential information intended
for the named recipient of this email. ETSI (Employee Technology
Solutions, Inc.) does not warrant that the contents of any
electronically transmitted information will remain confidential. If the
reader of this email is not the intended recipient you are hereby
notified that any use, reproduction, disclosure or distribution of the
information contained in the email in error, please reply to us
immediately and delete the document.
Viruses, Malware, Phishing and other known and unknown electronic
threats: It is the recipient/client's duties to perform virus scans and
otherwise test the information provided before loading onto any computer
system. No warranty is made that this material is free from computer
virus or any other defect.
Any loss/damage incurred by using this material is not the sender's
responsibility. Liability will be limited to resupplying the material.
"Steve Egan \(Temp\)" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
01/19/2007 04:39 PM
Please respond to
ActiveDir@mail.activedir.org
To
cc
Subject
[ActiveDir] Cisco VPN user authentication problem
Greetings, Brain Trust:
I've been troubleshooting a VPN access problem for about two days now
and have almost scratched a groove in my head - this one's a puzzler.
My boss has an IBM Lenovo T60 laptop that has the Cisco VPN client
software loaded into it. It was working just fine up until the third
week of December, allowing her to use Dialup to get into our HQ domain
from her house. When the logins failed, I thought it was due to crappy
dialup connection, since noise in the link will cause the VPN tunnel to
go down.
However, I just got her link at her house to go on wireless, and it
works just spiffy (11M up/down), and she still can't log on to the
domain with the VPN software. The connection works just fine, she can
browse with no problem. OWA works just fine.
Here's some of the troubleshooting I've done:
1) reloaded the VPN software.
2) Tried to have her log on from another machine.
3) Changed the Group authentication (made a new one) just for her.
Nothing seems to work. She logs in to the domain normally from her desk
at work using either the wireless in the laptop, or via the Ethernet
connection. Anybody else can use her laptop to get in via the VPN, so
it's not the drivers or hardware. Her problem is replicated from
ANYBODY's laptop utilizing the VPN software. It's got to be her
account, which is why I think it's something screwed up in AD.
When I monitor her attempts to log into the VPN concentrator (a Cisco
3000), sometimes it says the IKE isn't working, sometimes it says
there's no domain ("domain = {not specified}"), sometimes it never talks
to the 3000 at all (according to the log and the way it comes right back
with the username/password request).
RE: [ActiveDir] Cisco VPN user authentication problem
Brent: Great minds think alike... We are thinking of saving all her files that have to be connected thru her profile, blowing it away, and building a new one (NOT with the same username!) to kind of "flush" things out. I was hoping the Brain Trust had something I hadn't thought of or maybe knew of somewhere to look. I'll let this simmer over the weekend and see if anybody else can contribute something that'll make/help me find the problem, IF it's solvable *without* having to re-create the account. It's gonna be messy to have to re-create email and other stuff . "...besides, you knew the job was dangerous when you took it!" Steve Egan Systems/Network Engineer From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, January 19, 2007 3:23 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Cisco VPN user authentication problem Steve; You could setup a new account through AD or blow her existing account away and see if that doesn't clear the stick from the mud. Just attacking this as logically as I can, here. Since I do not know of a utility to check for problems with Kerberos/AD... Though it seems like there should be something out there to do just that. Bueller? Brent Eads Employee Technology Solutions, Inc. Office: (312) 762-9224 Fax: (312) 762-9275 The contents contain privileged and/or confidential information intended for the named recipient of this email. ETSI (Employee Technology Solutions, Inc.) does not warrant that the contents of any electronically transmitted information will remain confidential. If the reader of this email is not the intended recipient you are hereby notified that any use, reproduction, disclosure or distribution of the information contained in the email in error, please reply to us immediately and delete the document. Viruses, Malware, Phishing and other known and unknown electronic threats: It is the recipient/client's duties to perform virus scans and otherwise test the information provided before loading onto any computer system. No warranty is made that this material is free from computer virus or any other defect. Any loss/damage incurred by using this material is not the sender's responsibility. Liability will be limited to resupplying the material. "Steve Egan \(Temp\)" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 01/19/2007 05:06 PM Please respond to ActiveDir@mail.activedir.org To cc Subject RE: [ActiveDir] Cisco VPN user authentication problem Did that. It was the first thing I looked at, having had experience with RADIUS before. I created a user on the 3000, and it worked fine. BTW, we use the Kerberos/Active Directory authentication. But you knew that... Steve Egan (temp) Systems/Network Engineer From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, January 19, 2007 3:00 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Cisco VPN user authentication problem Steve; Just for kicks. Could you create a local account for testing? This would bypass any RADIUS/TAC+ problems and confirm the VPN client isn't at fault. Also, Cisco released a new client about a week ago. Don't ask, my laptop is stored for the weekend. Something like 4.881720344-1 or some such. Anyhow, it sounds like a RADIUS problem within the server but check with a local account on the 3000 just to eliminate what should be obvious. Brent Eads Employee Technology Solutions, Inc. Office: (312) 762-9224 Fax: (312) 762-9275 The contents contain privileged and/or confidential information intended for the named recipient of this email. ETSI (Employee Technology Solutions, Inc.) does not warrant that the contents of any electronically transmitted information will remain confidential. If the reader of this email is not the intended recipient you are hereby notified that any use, reproduction, disclosure or distribution of the information contained in the email in error, please reply to us immediately and delete the document. Viruses, Malware, Phishing and other known and unknown electronic threats: It is the recipient/client's duties to perform virus scans and otherwise test the information provided before loading onto any computer system. No warranty is made that this material is free from computer virus or any other defect. Any loss/damage incurred by using this material is not the sender's responsibility. Liability will be limited to resupplying the material. "Steve Egan \(Temp\)" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 01/19/2007 04:39 PM Please respond to ActiveDir@mail.activedir.org To cc Subject [ActiveDir] Cisco VPN user authentication problem Greetings, B
RE: [ActiveDir] Cisco VPN user authentication problem
Steve; You could setup a new account through AD or blow her existing account away and see if that doesn't clear the stick from the mud. Just attacking this as logically as I can, here. Since I do not know of a utility to check for problems with Kerberos/AD... Though it seems like there should be something out there to do just that. Bueller? Brent Eads Employee Technology Solutions, Inc. Office: (312) 762-9224 Fax: (312) 762-9275 The contents contain privileged and/or confidential information intended for the named recipient of this email. ETSI (Employee Technology Solutions, Inc.) does not warrant that the contents of any electronically transmitted information will remain confidential. If the reader of this email is not the intended recipient you are hereby notified that any use, reproduction, disclosure or distribution of the information contained in the email in error, please reply to us immediately and delete the document. Viruses, Malware, Phishing and other known and unknown electronic threats: It is the recipient/client's duties to perform virus scans and otherwise test the information provided before loading onto any computer system. No warranty is made that this material is free from computer virus or any other defect. Any loss/damage incurred by using this material is not the sender's responsibility. Liability will be limited to resupplying the material. "Steve Egan \(Temp\)" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 01/19/2007 05:06 PM Please respond to ActiveDir@mail.activedir.org To cc Subject RE: [ActiveDir] Cisco VPN user authentication problem Did that. It was the first thing I looked at, having had experience with RADIUS before. I created a user on the 3000, and it worked fine. BTW, we use the Kerberos/Active Directory authentication. But you knew that… Steve Egan (temp) Systems/Network Engineer From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, January 19, 2007 3:00 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Cisco VPN user authentication problem Steve; Just for kicks. Could you create a local account for testing? This would bypass any RADIUS/TAC+ problems and confirm the VPN client isn't at fault. Also, Cisco released a new client about a week ago. Don't ask, my laptop is stored for the weekend. Something like 4.881720344-1 or some such. Anyhow, it sounds like a RADIUS problem within the server but check with a local account on the 3000 just to eliminate what should be obvious. Brent Eads Employee Technology Solutions, Inc. Office: (312) 762-9224 Fax: (312) 762-9275 The contents contain privileged and/or confidential information intended for the named recipient of this email. ETSI (Employee Technology Solutions, Inc.) does not warrant that the contents of any electronically transmitted information will remain confidential. If the reader of this email is not the intended recipient you are hereby notified that any use, reproduction, disclosure or distribution of the information contained in the email in error, please reply to us immediately and delete the document. Viruses, Malware, Phishing and other known and unknown electronic threats: It is the recipient/client's duties to perform virus scans and otherwise test the information provided before loading onto any computer system. No warranty is made that this material is free from computer virus or any other defect. Any loss/damage incurred by using this material is not the sender's responsibility. Liability will be limited to resupplying the material. "Steve Egan \(Temp\)" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 01/19/2007 04:39 PM Please respond to ActiveDir@mail.activedir.org To cc Subject [ActiveDir] Cisco VPN user authentication problem Greetings, Brain Trust: I’ve been troubleshooting a VPN access problem for about two days now and have almost scratched a groove in my head – this one’s a puzzler. My boss has an IBM Lenovo T60 laptop that has the Cisco VPN client software loaded into it. It was working just fine up until the third week of December, allowing her to use Dialup to get into our HQ domain from her house. When the logins failed, I thought it was due to crappy dialup connection, since noise in the link will cause the VPN tunnel to go down. However, I just got her link at her house to go on wireless, and it works just spiffy (11M up/down), and she still can’t log on to the domain with the VPN software. The connection works just fine, she can browse with no problem. OWA works just fine. Here’s some of the troubleshooting I’ve done: 1) reloaded the VPN software. 2) Tried to have her log on from another machine. 3) Changed the Group authentication (made a new one) just for her. Nothing seems to work. She
RE: [ActiveDir] Cisco VPN user authentication problem
What about "reversible encryption"? (I have no idea if this is required
for the VPN software or not - just a guess.)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Egan
(Temp)
Sent: Friday, January 19, 2007 5:39 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Cisco VPN user authentication problem
Greetings, Brain Trust:
I've been troubleshooting a VPN access problem for about two days now
and have almost scratched a groove in my head - this one's a puzzler.
My boss has an IBM Lenovo T60 laptop that has the Cisco VPN client
software loaded into it. It was working just fine up until the third
week of December, allowing her to use Dialup to get into our HQ domain
from her house. When the logins failed, I thought it was due to crappy
dialup connection, since noise in the link will cause the VPN tunnel to
go down.
However, I just got her link at her house to go on wireless, and it
works just spiffy (11M up/down), and she still can't log on to the
domain with the VPN software. The connection works just fine, she can
browse with no problem. OWA works just fine.
Here's some of the troubleshooting I've done:
1) reloaded the VPN software.
2) Tried to have her log on from another machine.
3) Changed the Group authentication (made a new one) just for her.
Nothing seems to work. She logs in to the domain normally from her desk
at work using either the wireless in the laptop, or via the Ethernet
connection. Anybody else can use her laptop to get in via the VPN, so
it's not the drivers or hardware. Her problem is replicated from
ANYBODY's laptop utilizing the VPN software. It's got to be her
account, which is why I think it's something screwed up in AD.
When I monitor her attempts to log into the VPN concentrator (a Cisco
3000), sometimes it says the IKE isn't working, sometimes it says
there's no domain ("domain = {not specified}"), sometimes it never talks
to the 3000 at all (according to the log and the way it comes right back
with the username/password request).
Want to get even more confused? This problem started when she attempted
to change her password back to what it was - she went through the AD
administration on the primary AD box and got some kind of error. Ever
since then, things just ain't the same. I think something got scrambled
in her account. We tried disabling her account for 5 minutes and then
re-enabling, but nothing's worked.
Where should I look to see if something's amiss? I'm kinda stumped.
Steve Egan
Systems/Network Engineer
RE: [ActiveDir] Cisco VPN user authentication problem
I had similar issues and solved them by recreating the Profile on the
laptop.
Same settings, just created an identical Profile. Almost like the
corruption was in the profile itself.
Al
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Egan
(Temp)
Sent: Friday, January 19, 2007 3:06 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Cisco VPN user authentication problem
Did that. It was the first thing I looked at, having had experience
with RADIUS before. I created a user on the 3000, and it worked fine.
BTW, we use the Kerberos/Active Directory authentication. But you knew
that...
Steve Egan (temp)
Systems/Network Engineer
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Friday, January 19, 2007 3:00 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Cisco VPN user authentication problem
Steve;
Just for kicks. Could you create a local account for testing? This would
bypass any RADIUS/TAC+ problems and confirm the VPN client isn't at
fault. Also, Cisco released a new client about a week ago. Don't ask, my
laptop is stored for the weekend. Something like 4.881720344-1
or some such.
Anyhow, it sounds like a RADIUS problem within the server but check with
a local account on the 3000 just to eliminate what should be obvious.
Brent Eads
Employee Technology Solutions, Inc.
Office: (312) 762-9224
Fax: (312) 762-9275
The contents contain privileged and/or confidential information intended
for the named recipient of this email. ETSI (Employee Technology
Solutions, Inc.) does not warrant that the contents of any
electronically transmitted information will remain confidential. If the
reader of this email is not the intended recipient you are hereby
notified that any use, reproduction, disclosure or distribution of the
information contained in the email in error, please reply to us
immediately and delete the document.
Viruses, Malware, Phishing and other known and unknown electronic
threats: It is the recipient/client's duties to perform virus scans and
otherwise test the information provided before loading onto any computer
system. No warranty is made that this material is free from computer
virus or any other defect.
Any loss/damage incurred by using this material is not the sender's
responsibility. Liability will be limited to resupplying the material.
"Steve Egan \(Temp\)" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
01/19/2007 04:39 PM
Please respond to
ActiveDir@mail.activedir.org
To
cc
Subject
[ActiveDir] Cisco VPN user authentication problem
Greetings, Brain Trust:
I've been troubleshooting a VPN access problem for about two days now
and have almost scratched a groove in my head - this one's a puzzler.
My boss has an IBM Lenovo T60 laptop that has the Cisco VPN client
software loaded into it. It was working just fine up until the third
week of December, allowing her to use Dialup to get into our HQ domain
from her house. When the logins failed, I thought it was due to crappy
dialup connection, since noise in the link will cause the VPN tunnel to
go down.
However, I just got her link at her house to go on wireless, and it
works just spiffy (11M up/down), and she still can't log on to the
domain with the VPN software. The connection works just fine, she can
browse with no problem. OWA works just fine.
Here's some of the troubleshooting I've done:
1) reloaded the VPN software.
2) Tried to have her log on from another machine.
3) Changed the Group authentication (made a new one) just for her.
Nothing seems to work. She logs in to the domain normally from her desk
at work using either the wireless in the laptop, or via the Ethernet
connection. Anybody else can use her laptop to get in via the VPN, so
it's not the drivers or hardware. Her problem is replicated from
ANYBODY's laptop utilizing the VPN software. It's got to be her
account, which is why I think it's something screwed up in AD.
When I monitor her attempts to log into the VPN concentrator (a Cisco
3000), sometimes it says the IKE isn't working, sometimes it says
there's no domain ("domain = {not specified}"), sometimes it never talks
to the 3000 at all (according to the log and the way it comes right back
with the username/password request).
Want to get even more confused? This problem started when she attempted
to change her password back to what it was - she went through the AD
administration on the primary AD box and got some kind of error. Ever
since then, things just ain't the same. I think something got scrambled
in her account. We tried disabling her account for 5 minutes and then
re-enabling, but nothing's worked.
Where should I look to see if som
RE: [ActiveDir] Cisco VPN user authentication problem
Did that. It was the first thing I looked at, having had experience
with RADIUS before. I created a user on the 3000, and it worked fine.
BTW, we use the Kerberos/Active Directory authentication. But you knew
that...
Steve Egan (temp)
Systems/Network Engineer
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Friday, January 19, 2007 3:00 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Cisco VPN user authentication problem
Steve;
Just for kicks. Could you create a local account for testing? This would
bypass any RADIUS/TAC+ problems and confirm the VPN client isn't at
fault. Also, Cisco released a new client about a week ago. Don't ask, my
laptop is stored for the weekend. Something like 4.881720344-1
or some such.
Anyhow, it sounds like a RADIUS problem within the server but check with
a local account on the 3000 just to eliminate what should be obvious.
Brent Eads
Employee Technology Solutions, Inc.
Office: (312) 762-9224
Fax: (312) 762-9275
The contents contain privileged and/or confidential information intended
for the named recipient of this email. ETSI (Employee Technology
Solutions, Inc.) does not warrant that the contents of any
electronically transmitted information will remain confidential. If the
reader of this email is not the intended recipient you are hereby
notified that any use, reproduction, disclosure or distribution of the
information contained in the email in error, please reply to us
immediately and delete the document.
Viruses, Malware, Phishing and other known and unknown electronic
threats: It is the recipient/client's duties to perform virus scans and
otherwise test the information provided before loading onto any computer
system. No warranty is made that this material is free from computer
virus or any other defect.
Any loss/damage incurred by using this material is not the sender's
responsibility. Liability will be limited to resupplying the material.
"Steve Egan \(Temp\)" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
01/19/2007 04:39 PM
Please respond to
ActiveDir@mail.activedir.org
To
cc
Subject
[ActiveDir] Cisco VPN user authentication problem
Greetings, Brain Trust:
I've been troubleshooting a VPN access problem for about two days now
and have almost scratched a groove in my head - this one's a puzzler.
My boss has an IBM Lenovo T60 laptop that has the Cisco VPN client
software loaded into it. It was working just fine up until the third
week of December, allowing her to use Dialup to get into our HQ domain
from her house. When the logins failed, I thought it was due to crappy
dialup connection, since noise in the link will cause the VPN tunnel to
go down.
However, I just got her link at her house to go on wireless, and it
works just spiffy (11M up/down), and she still can't log on to the
domain with the VPN software. The connection works just fine, she can
browse with no problem. OWA works just fine.
Here's some of the troubleshooting I've done:
1) reloaded the VPN software.
2) Tried to have her log on from another machine.
3) Changed the Group authentication (made a new one) just for her.
Nothing seems to work. She logs in to the domain normally from her desk
at work using either the wireless in the laptop, or via the Ethernet
connection. Anybody else can use her laptop to get in via the VPN, so
it's not the drivers or hardware. Her problem is replicated from
ANYBODY's laptop utilizing the VPN software. It's got to be her
account, which is why I think it's something screwed up in AD.
When I monitor her attempts to log into the VPN concentrator (a Cisco
3000), sometimes it says the IKE isn't working, sometimes it says
there's no domain ("domain = {not specified}"), sometimes it never talks
to the 3000 at all (according to the log and the way it comes right back
with the username/password request).
Want to get even more confused? This problem started when she attempted
to change her password back to what it was - she went through the AD
administration on the primary AD box and got some kind of error. Ever
since then, things just ain't the same. I think something got scrambled
in her account. We tried disabling her account for 5 minutes and then
re-enabling, but nothing's worked.
Where should I look to see if something's amiss? I'm kinda stumped.
Steve Egan
Systems/Network Engineer
Message scanned by TrendMicro
Message scanned by TrendMicro
Re: [ActiveDir] Cisco VPN user authentication problem
Steve;
Just for kicks. Could you create a local account for testing? This would
bypass any RADIUS/TAC+ problems and confirm the VPN client isn't at fault.
Also, Cisco released a new client about a week ago. Don't ask, my laptop
is stored for the weekend. Something like 4.881720344-1 or some
such.
Anyhow, it sounds like a RADIUS problem within the server but check with a
local account on the 3000 just to eliminate what should be obvious.
Brent Eads
Employee Technology Solutions, Inc.
Office: (312) 762-9224
Fax: (312) 762-9275
The contents contain privileged and/or confidential information intended
for the named recipient of this email. ETSI (Employee Technology
Solutions, Inc.) does not warrant that the contents of any electronically
transmitted information will remain confidential. If the reader of this
email is not the intended recipient you are hereby notified that any use,
reproduction, disclosure or distribution of the information contained in
the email in error, please reply to us immediately and delete the
document.
Viruses, Malware, Phishing and other known and unknown electronic threats:
It is the recipient/client's duties to perform virus scans and otherwise
test the information provided before loading onto any computer system. No
warranty is made that this material is free from computer virus or any
other defect.
Any loss/damage incurred by using this material is not the sender's
responsibility. Liability will be limited to resupplying the material.
"Steve Egan \(Temp\)" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
01/19/2007 04:39 PM
Please respond to
ActiveDir@mail.activedir.org
To
cc
Subject
[ActiveDir] Cisco VPN user authentication problem
Greetings, Brain Trust:
I’ve been troubleshooting a VPN access problem for about two days now and
have almost scratched a groove in my head – this one’s a puzzler.
My boss has an IBM Lenovo T60 laptop that has the Cisco VPN client
software loaded into it. It was working just fine up until the third week
of December, allowing her to use Dialup to get into our HQ domain from her
house. When the logins failed, I thought it was due to crappy dialup
connection, since noise in the link will cause the VPN tunnel to go down.
However, I just got her link at her house to go on wireless, and it works
just spiffy (11M up/down), and she still can’t log on to the domain with
the VPN software. The connection works just fine, she can browse with no
problem. OWA works just fine.
Here’s some of the troubleshooting I’ve done:
1) reloaded the VPN software.
2) Tried to have her log on from another machine.
3) Changed the Group authentication (made a new one) just for her.
Nothing seems to work. She logs in to the domain normally from her desk
at work using either the wireless in the laptop, or via the Ethernet
connection. Anybody else can use her laptop to get in via the VPN, so
it’s not the drivers or hardware. Her problem is replicated from
ANYBODY’s laptop utilizing the VPN software. It’s got to be her account,
which is why I think it’s something screwed up in AD.
When I monitor her attempts to log into the VPN concentrator (a Cisco
3000), sometimes it says the IKE isn’t working, sometimes it says there’s
no domain (“domain = {not specified}”), sometimes it never talks to the
3000 at all (according to the log and the way it comes right back with the
username/password request).
Want to get even more confused? This problem started when she attempted
to change her password back to what it was – she went through the AD
administration on the primary AD box and got some kind of error. Ever
since then, things just ain’t the same. I think something got scrambled
in her account. We tried disabling her account for 5 minutes and then
re-enabling, but nothing’s worked.
Where should I look to see if something’s amiss? I’m kinda stumped.
Steve Egan
Systems/Network Engineer
Message scanned by TrendMicro
Message scanned by TrendMicro
