Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

VPN Authetication problem

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> VPN >> VPN Authetication problem Page: [1]
Login
Message << Older Topic   Newer Topic >>
VPN Authetication problem - 3.Sep.2007 9:41:36 PM   
diato

 

Posts: 6
Joined: 23.Apr.2002
Status: offline 		Hi!
I have had working trouble free my ISA Server and RRAS for VPN access for some time.
This server accepted VPN connections for users of the same domain the ISA server belongs to as well for users of other internal domains. Unfortunately the Domain controller for one of the domains hard disk crashed and we had to re install it from zero. Now I can’t get any users form this domain to establish a VPN connection.
If I try with a user form the Domain the ISA server and RRAS server belongs to, the VPN connection is established.
Any ideas on how to make this work again ?
 
Trust relationships are established between both domains and users do have the Dialin permission.
 
Thanks,
 
Luis
Post #: 1
RE: VPN Authetication problem - 28.Oct.2007 11:38:11 PM   
AHIT

 

Posts: 1561
Joined: 22.Jul.2002
From: Sydney, Australia
Status: offline 		I realise I'm dragging up an old thread here (nearly 2 months old) and it's probably already sorted.
If you say some sessions are being permitted then:
a) we can essentially rule out the RRAS service as it is authenticating some VPN requests and
b) we can rule out the ISA ruleset as it its actually the RRAS VPN service that 'answers the VPN call', ISA just permits access to the RRAS service by opening appropriate ports.
So from there, I'd be looking at either trusts between the domains, specifc users dialin abaility or perhaps group policy settings that would over-ride your 'dialin' ability.

Care to elaborate as to what the actual cause was?

An observation based on personal opinion - I will always have VPN users use a different set of credentials to their domain user/password combo. Yes, it IS another password to remember (downside) but the matching upside is that from a security perspective, it's one set of credentials to access the network and another set of credentials to access RESOURCES/SERVICES on that network.

If you 'share' access by having VPN use standard domain credentials you don't have that 2 layers of security. If your domain credentials are compromised in some way, you're completely exposed. We don't have CAT5 ethernet ports available in the street out the front of our businesses 'cause we don't want the 'badies' trying to brute force their way into services we offer.
Lock 'em out - use a different key (user/pass combo) to get access to the network.

Just my 2cents...




_____________________________

http://www.ahit.com.au/isa
(Previous nick: Tolk)

(in reply to diato)
Post #: 2
RE: VPN Authetication problem - 29.Oct.2007 2:24:22 PM   
diato

 

Posts: 6
Joined: 23.Apr.2002
Status: offline 		Thanks for your response and for your suggestion.

To this date I have not found what is preventing all users from other internal domains to establish a VPN connection.

As you point out, the RRAS service IS authenticating some users (only users from the Domain it belongs to). The trusts between domains are up and working and these specific users do have “dialing” enabled and we have not created any Group Policy.

In addition to the thing you point out, we placed the ISA server machine name in the Active Directory “RAS and IAS Servers” but we have run out of ideas on where to continue to look for.

In the meantime we are doing what you suggested. That is we gave these users a user account from the domain that is working but I would realy like to know what is happening.

Any ideas?

Luis

(in reply to AHIT)
Post #: 3
RE: VPN Authetication problem - 31.Oct.2007 3:21:44 AM   
AHIT

 

Posts: 1561
Joined: 22.Jul.2002
From: Sydney, Australia
Status: offline 		what is recorded in the RRAS logfile?
usual location c:\winnt\system32\logfiles\iaslog.txt
it might be able to give some more hints as to why the autentication is rejected.
Alternately the OS event logs?

_____________________________

http://www.ahit.com.au/isa
(Previous nick: Tolk)

(in reply to diato)
Post #: 4
RE: VPN Authetication problem - 1.Nov.2007 1:11:08 PM   
diato

 

Posts: 6
Joined: 23.Apr.2002
Status: offline 		Here are several entries of the log file for three different users.
MAIL\Diato has access to de VPN.
ESV\ldt with no access to the VPN
DIATO\diato with no access to the VPN

This ISA/RRAS machine (ISABEL) belongs to a domain named NORTE

The funny thing is that the last time I checked this (when I wrote the initial message) users form de MAIL domain including MAIL\Diato could not gain access to the VPN. Today it worked so we must have changes something in the way...


Luis


192.168.2.2,MAIL\diato,11/01/2007,10:18:32,RAS,ISABEL,4,192.168.2.2,6,2,7,1,5,130,61,5,64,1,65,1,31,200.67.233.4,66,200.67.233.4,25,311 1 10.0.0.2 08/14/2007 14:49:20 89,44,135,8,192.168.2.39,12,1500,50,415,51,1,55,1193933910,45,3,46,477,43,219576,42,179354,48,1410,47,1960,49,1,40,2,4108,192.168.2.2,0,,4147,311,4148,MSRASV5.00,4120,0x004D41494C,4294967206,4,4136,4,4142,0
192.168.2.2,MAIL\diato,11/01/2007,10:18:48,RAS,ISABEL,4,192.168.2.2,6,2,7,1,5,130,61,5,64,1,65,1,31,200.67.233.4,66,200.67.233.4,4108,192.168.2.2,0,,4147,311,4148,MSRASV5.00,4129,MAIL\diato,4127,4,25,311 1 10.0.0.2 08/14/2007 14:49:20 90,4130,diato.com.mx/Users/Luis DiazTorre,4136,1,4142,0
192.168.2.2,MAIL\diato,11/01/2007,10:18:48,RAS,ISABEL,25,311 1 10.0.0.2 08/14/2007 14:49:20 90,4130,diato.com.mx/Users/Luis DiazTorre,6,2,7,1,4149,ldt Acceso VPN,4120,0x004D41494C,4127,4,4129,MAIL\diato,4136,2,4142,0
192.168.2.2,MAIL\diato,11/01/2007,10:18:48,RAS,ISABEL,4,192.168.2.2,6,2,7,1,5,130,61,5,64,1,65,1,31,200.67.233.4,66,200.67.233.4,25,311 1 10.0.0.2 08/14/2007 14:49:20 90,44,137,8,192.168.2.38,12,1500,50,417,51,1,55,1193933928,45,3,40,1,4108,192.168.2.2,0,,4147,311,4148,MSRASV5.00,4120,0x004D41494C,4294967206,4,4136,4,4142,0
192.168.2.2,MAIL\diato,11/01/2007,10:19:02,RAS,ISABEL,4,192.168.2.2,6,2,7,1,5,130,61,5,64,1,65,1,31,200.67.233.4,66,200.67.233.4,25,311 1 10.0.0.2 08/14/2007 14:49:20 90,44,137,8,192.168.2.38,12,1500,50,417,51,1,55,1193933940,45,3,46,12,43,1459,42,6671,48,30,47,75,49,1,40,2,4108,192.168.2.2,0,,4147,311,4148,MSRASV5.00,4120,0x004D41494C,4294967206,4,4136,4,4142,0
192.168.2.2,MAIL\diato,11/01/2007,10:20:11,RAS,ISABEL,4,192.168.2.2,6,2,7,1,5,130,61,5,64,1,65,1,31,200.67.233.4,66,200.67.233.4,4108,192.168.2.2,0,,4147,311,4148,MSRASV5.00,4129,MAIL\diato,4127,4,25,311 1 10.0.0.2 08/14/2007 14:49:20 91,4130,diato.com.mx/Users/Luis DiazTorre,4136,1,4142,0
192.168.2.2,MAIL\diato,11/01/2007,10:20:11,RAS,ISABEL,25,311 1 10.0.0.2 08/14/2007 14:49:20 91,4130,diato.com.mx/Users/Luis DiazTorre,6,2,7,1,4149,ldt Acceso VPN,4120,0x004D41494C,4127,4,4129,MAIL\diato,4136,2,4142,0
192.168.2.2,MAIL\diato,11/01/2007,10:20:11,RAS,ISABEL,4,192.168.2.2,6,2,7,1,5,130,61,5,64,1,65,1,31,200.67.233.4,66,200.67.233.4,25,311 1 10.0.0.2 08/14/2007 14:49:20 91,44,139,8,192.168.2.34,12,1500,50,427,51,1,55,1193934011,45,3,40,1,4108,192.168.2.2,0,,4147,311,4148,MSRASV5.00,4120,0x004D41494C,4294967206,4,4136,4,4142,0

(in reply to AHIT)
Post #: 5
RE: VPN Authetication problem - 1.Nov.2007 8:06:25 PM   
AHIT

 

Posts: 1561
Joined: 22.Jul.2002
From: Sydney, Australia
Status: offline 		Hmmn... Would need to see more of the logfile for the failures. Feel free to PM to me if you wish.
FYI, I can heartily some of the log viewers such as http://deepsoftware.ru/iasviewer/ for this purpose. Can work in "real time" as you try and connect and breaks up confusing command delimited fields into easily to read tables with drill down to details.


_____________________________

http://www.ahit.com.au/isa
(Previous nick: Tolk)

(in reply to diato)
Post #: 6
RE: VPN Authetication problem - 5.Nov.2007 6:27:43 PM   
diato

 

Posts: 6
Joined: 23.Apr.2002
Status: offline 		I downloaded the log tool that you mentioned.
Nice tool... Thanks for the tip.

I’ve run it with several log files.
The error message it displays in all cases is “IAS_NO_SUCH_USER”

Luis

(in reply to AHIT)
Post #: 7
RE: VPN Authetication problem - 6.Nov.2007 1:04:07 AM   
AHIT

 

Posts: 1561
Joined: 22.Jul.2002
From: Sydney, Australia
Status: offline 		hmmn.. then either a) Ther really IS no such user account (unlikely)   OR b) trust between domains is not working.
Scanning across a few of my VPN servers I only get that when they attempted to use a n account that really doesn't exist.. or in testing I do with a nosuchdomain\account so the DOMAIN doesn't exist. This would appear to be the casae if trusts arent working right then the domain would 'appear' to exist.

Hope this helps.


_____________________________

http://www.ahit.com.au/isa
(Previous nick: Tolk)

(in reply to diato)
Post #: 8
RE: VPN Authetication problem - 6.Nov.2007 2:08:58 PM   
diato

 

Posts: 6
Joined: 23.Apr.2002
Status: offline 		Thanks.
The only lead I have right now is that users from a domain that did not work a month ago now have VPN access. We have been doing some change in our internal DNS server. This looks as our best source for problems and solutions at this moment.

Thanks again
Luis

(in reply to diato)
Post #: 9
RE: VPN Authetication problem - 6.Nov.2007 6:42:34 PM   
AHIT

 

Posts: 1561
Joined: 22.Jul.2002
From: Sydney, Australia
Status: offline 		looking forward to hearing of your success in days/weeks to come.

_____________________________

http://www.ahit.com.au/isa
(Previous nick: Tolk)

(in reply to diato)
Post #: 10

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> VPN >> VPN Authetication problem Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts