Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

VPN and authentication over PPTP

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> VPN >> VPN and authentication over PPTP Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
VPN and authentication over PPTP - 19.Jul.2004 1:15:00 PM   
kegly911

 

Posts: 10
Joined: 19.Jul.2004
From: UK
Status: offline 		Hi All,

We performed and in place upgrade from ISA 2000 SP2 to ISA 2004 full release. All went ok about from n bit regarding VPN connections. All incoming VPN connections are accepted and then fail with an error which says that the username and password are incorrect even though they are correct.

Any ideas?
Post #: 1
RE: VPN and authentication over PPTP - 19.Jul.2004 1:44:00 PM   
Jetser

 

Posts: 6
Joined: 20.May2004
From: Netherlands
Status: offline 		Perhaps you did not configure the user mapping correctly? Are you using Active directory user accounts for VPN logon?

(in reply to kegly911)
Post #: 2
RE: VPN and authentication over PPTP - 19.Jul.2004 1:45:00 PM   
kegly911

 

Posts: 10
Joined: 19.Jul.2004
From: UK
Status: offline 		Yes we are, and followed the online documet to ensure that user maping was done correctly

regards, Simon

(in reply to kegly911)
Post #: 3
RE: VPN and authentication over PPTP - 19.Jul.2004 6:35:00 PM   
tshinder

 

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Kegly,

Do you see any errors in the Event Viewer or in the ISA firewall's management console?

Thanks!
Tom

(in reply to kegly911)
Post #: 4
RE: VPN and authentication over PPTP - 19.Jul.2004 9:40:00 PM   
kegly911

 

Posts: 10
Joined: 19.Jul.2004
From: UK
Status: offline 		Hi Tom,

Thanks for your post, The only error shown relates to authentication.

Would you like a copy of the event?

thanks,

(in reply to kegly911)
Post #: 5
RE: VPN and authentication over PPTP - 20.Jul.2004 12:02:00 AM   
tshinder

 

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Kegly,

Yes, if you can post the error, that might help.

Thanks!
Tom

(in reply to kegly911)
Post #: 6
RE: VPN and authentication over PPTP - 20.Jul.2004 10:33:00 AM   
kegly911

 

Posts: 10
Joined: 19.Jul.2004
From: UK
Status: offline 		Hi Tom,

Here it is: Event Type: Warning
Event Source: RemoteAccess
Event Category: None
Event ID: 20014
Date: 19/07/2004
Time: 20:41:22
User: N/A
Computer: CHEROKEE
Description:
The user xxx@ukoffice.gfi.co.uk has connected and failed to authenticate on port VPN5-4. The line has been disconnected.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Thanks

(in reply to kegly911)
Post #: 7
RE: VPN and authentication over PPTP - 20.Jul.2004 6:46:00 PM   
tshinder

 

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Kegly,

OK, is the ISA firewall a member of the domain? Or, as your using RADIUS for authentication?

I look like there is a communications failure between the ISA firewall and the authentication server. Are you using the RTM?

Thanks!
Tom

(in reply to kegly911)
Post #: 8
RE: VPN and authentication over PPTP - 21.Jul.2004 2:54:00 PM   
kegly911

 

Posts: 10
Joined: 19.Jul.2004
From: UK
Status: offline 		Hi Tom,

The ISa Server is a DC.

Any other thoughts?

Thanks,

(in reply to kegly911)
Post #: 9
RE: VPN and authentication over PPTP - 21.Jul.2004 3:18:00 PM   
tshinder

 

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Kegly,

That might be the problem. I haven't tested the ISA firewall as a DC -- can you move the DC *off* the firewall?

Thanks!
Tom

(in reply to kegly911)
Post #: 10
RE: VPN and authentication over PPTP - 24.Jul.2004 2:18:00 AM   
roblof

 

Posts: 10
Joined: 24.Jul.2004
Status: offline 		I have a similar problem. My ISA2004 is not an DC, just a member of the domain. I've tried with local ISA users and domain users with the same results, however the logs from a domain logon show following info:

RAS-Debug logs (selected parts):
================================
IASResponse = 2, FailureReason = 0x10

NT-SAM Names handler received request with user identity myUser.
Prepending default domain.
NameMapper::prependDefaultDomain
SAM-Account-Name is "MYDOMAIN\myUser".
NT-SAM Authentication handler received request for MYDOMAIN\myUser.
Processing MS-CHAP v2 authentication.
LogonUser failed: Logon failure: unknown user name or bad password.
Invoking AuthorizationDLLs
Invoking extension vpnplgin.dll
RadiusExtensionProcess2 returned 0

Event viewer on DC:
===================
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 2004-07-24
Time: 01:25:50
User: NT AUTHORITY\SYSTEM
Computer: GW-ISA0
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: myUser
Domain: MYDOMAIN
Logon Type: 3
Logon Process: IAS
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name:
Caller User Name: GW-ISA0$
Caller Domain: MYDOMAIN
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1136
Transited Services: -
Source Network Address: -
Source Port: -

(in reply to kegly911)
Post #: 11
RE: VPN and authentication over PPTP - 24.Jul.2004 6:53:00 PM   
tshinder

 

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hey guys,

You should make sure your AD connectivity is OK and that the user has dial-in permission.

HTH,
Tom

(in reply to kegly911)
Post #: 12
RE: VPN and authentication over PPTP - 24.Jul.2004 8:44:00 PM   
roblof

 

Posts: 10
Joined: 24.Jul.2004
Status: offline 		Sorry, but it works as supposed as a domain computer otherwise, i.e. AD and stuff works since I can logon to the computer console with domain credentials. As my logs show, communication with the AD/DC works but the DC complains.

As I also mentioned in my last post, even if I create a local ISA-user or use the local administrator account and put'em into a group and use that for VPN-users in ISA, it still doesn't work.

/--Rob

(in reply to kegly911)
Post #: 13
RE: VPN and authentication over PPTP - 24.Jul.2004 10:16:00 PM   
tshinder

 

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Rob,

So, if you create a local user account and then try to VPN into the ISA firewall and auth with that account, it still doesn't authenticate?

What type of authentication are you using?

Does the log on attempt appear in the Event Viewer?

Thanks!
Tom

(in reply to kegly911)
Post #: 14
RE: VPN and authentication over PPTP - 25.Jul.2004 12:48:00 AM   
roblof

 

Posts: 10
Joined: 24.Jul.2004
Status: offline 		Hi Tom, tnx 4 watching!

As logged in my earlier post in this thread, I'm using MS-CHAP v2 authentication.

Here is a local logon try in the event viewer on the isa (gw-isa0 is the isa server local name belonging to MYDOMAIN):
===============================
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 2004-07-23
Time: 19:28:30
User: NT AUTHORITY\SYSTEM
Computer: GW-ISA0
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: administrator
Domain: GW-ISA0
Logon Type: 3
Logon Process: IAS
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name:
Caller User Name: GW-ISA0$
Caller Domain: MYDOMAIN
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 972
Transited Services: -
Source Network Address: -
Source Port: -

Regds,
/--Rob

(in reply to kegly911)
Post #: 15
RE: VPN and authentication over PPTP - 25.Jul.2004 1:39:00 AM   
tshinder

 

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Rob,

Are you using RADIUS? Have you allowed all users access?

How are you entering the credentials into the VPN client software?

Thanks!
Tom

(in reply to kegly911)
Post #: 16
RE: VPN and authentication over PPTP - 25.Jul.2004 2:31:00 AM   
roblof

 

Posts: 10
Joined: 24.Jul.2004
Status: offline 		Hi Tom,

The users are given access in the Dial-In properties in their respective properties. They are added to a newly created VPN-group (I've tried Domain Users as well) and added to isa users config for vpn.

I'm at this point not using radius since this is a test domain, but I consider installing the IAS.

When it comes to the client vpn I'm using native XP vpn configured both manually and with the wizard.

(in reply to kegly911)
Post #: 17
RE: VPN and authentication over PPTP - 25.Jul.2004 2:50:00 AM   
tshinder

 

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Rob,

Are there any errors in the Event Log regarding RRAS or anything else that might point to a solution?

In addition, remove the user group you created and let all users access the VPN, then you can lock it down.

HTH,
Tom

(in reply to kegly911)
Post #: 18
RE: VPN and authentication over PPTP - 25.Jul.2004 4:22:00 PM   
roblof

 

Posts: 10
Joined: 24.Jul.2004
Status: offline 		Ok, here is all the relevant logs from my systems (happy reading :-) for one of my tryouts.

The Error Code 0xC000006A indicates incorrect password, but this must be erronous or something that happens during the negotiation and fails.

Can you please explain more in detail what you mean by "In addition, remove the user group you created and let all users access the VPN, then you can lock it down". I assume you don't mean to use 'Domain Users' in the user settings.

/--Rob

IASSAM.LOG
==========
[1188] 07-23 23:49:16:840: NT-SAM Names handler received request with user identity myUser.
[1188] 07-23 23:49:16:840: Prepending default domain.
[1188] 07-23 23:49:16:840: NameMapper::prependDefaultDomain
[1188] 07-23 23:49:16:840: SAM-Account-Name is "MYDOMAIN\myUser".
[1188] 07-23 23:49:16:840: NT-SAM Authentication handler received request for MYDOMAIN\myUser.
[1188] 07-23 23:49:16:840: Processing MS-CHAP v2 authentication.
[1188] 07-23 23:49:17:011: LogonUser failed: Logon failure: unknown user name or bad password.
[1188] 07-23 23:49:17:011: Invoking AuthorizationDLLs
[1188] 07-23 23:49:17:011: Invoking extension vpnplgin.dll
[1188] 07-23 23:49:17:041: RadiusExtensionProcess2 returned 0

RASAUTH.LOG
===========
[1188] 23:49:16:830: RasAuthProviderAuthenticateUser called
[1188] 23:49:17:041: IASResponse = 2, FailureReason = 0x10

RASCHAP.LOG
===========
[1216] 07-23 23:49:14:958: ChapBegin(fS=1,bA=0x81)
[1216] 07-23 23:49:14:958: ChapBegin done.
[1216] 07-23 23:49:14:958: ChapMakeMessage,RBuf=00000000
[1216] 07-23 23:49:14:958: CS_Initial...
[1216] 07-23 23:49:14:958: MakeChallengeMessage...
01 00 00 1C 10 E9 96 B0 A3 3D D5 26 D4 0C 55 96 |.........=.&..U.|
6D EE 44 55 57 47 57 2D 49 53 41 30 00 00 00 00 |m.DUWGW-ISA0....|
[1216] 07-23 23:49:16:830: ChapMakeMessage,RBuf=01C04D82
[1216] 07-23 23:49:16:830: CS_ChallengeSent...
[1216] 07-23 23:49:17:041: ChapMakeMessage,RBuf=00000000
[1216] 07-23 23:49:17:041: Result=691,Tries=2
[1216] 07-23 23:49:17:041: CS_Done...
04 00 00 34 45 3D 36 39 31 20 52 3D 31 20 43 3D |...4E=691 R=1 C=|
31 45 35 35 44 33 46 35 41 43 45 37 35 42 39 37 |1E55D3F5ACE75B97|
34 33 30 42 36 39 39 45 42 37 39 42 39 39 38 43 |430B699EB79B998C|
20 56 3D 33 00 00 00 00 00 00 00 00 00 00 00 00 | V=3............|
[1216] 07-23 23:49:19:835: ChapMakeMessage,RBuf=00000000
[1216] 07-23 23:49:19:835: CS_Retry...
04 00 00 34 45 3D 36 39 31 20 52 3D 31 20 43 3D |...4E=691 R=1 C=|
31 45 35 35 44 33 46 35 41 43 45 37 35 42 39 37 |1E55D3F5ACE75B97|
34 33 30 42 36 39 39 45 42 37 39 42 39 39 38 43 |430B699EB79B998C|
20 56 3D 33 00 00 00 00 00 00 00 00 00 00 00 00 | V=3............|
[1216] 07-23 23:49:19:835: ChapMakeMessage,RBuf=01C04D82
[1216] 07-23 23:49:19:835: CS_Retry...
[1216] 07-23 23:49:19:835: Got ID 0 when expecting 1
[1216] 07-23 23:49:22:839: ChapMakeMessage,RBuf=00000000
[1216] 07-23 23:49:22:839: CS_Retry...
.
. removed
. repeted entries
.
[1216] 07-23 23:51:09:661: ChapEnd

PPP.LOG
=======
[1216] 07-23 23:49:14:958: RemoveFromTimerQ called portid=28,Id=2,Protocol=c021,EventType=0,fAuth=0
[1216] 07-23 23:49:14:958: FsmThisLayerUp called for protocol = c021, port = 6
[1216] 07-23 23:49:14:958: LCP Local Options-------------
[1216] 07-23 23:49:14:958: MRU=1400,ACCM=-1,Auth=c223,MagicNumber=667384259,PFC=ON,ACFC=ON
[1216] 07-23 23:49:14:958: Recv Framing = PPP,SSHF=OFF,MRRU=1500,LinkDiscrim=e,BAP=OFF
[1216] 07-23 23:49:14:958: LCP Remote Options-------------
[1216] 07-23 23:49:14:958: MRU=1400,ACCM=-1,Auth=0,MagicNumber=1005530953,PFC=ON,ACFC=ON
[1216] 07-23 23:49:14:958: Send Framing = PPP,SSHF=OFF,MRRU=1500,LinkDiscrim=0
[1216] 07-23 23:49:14:958: LCP Configured successfully
[1216] 07-23 23:49:14:958: Authenticating phase started
[1216] 07-23 23:49:14:958: Calling APWork in APStart
[1216] 07-23 23:49:14:958: PPP packet sent at 07/23/2004 21:49:14:958
........
[1216] 07-23 23:51:08:509: InsertInTimerQ called portid=28,Id=1,Protocol=c223,EventType=0,fAuth=1
[412] 07-23 23:51:09:641: PPPEMSG_LineDown recvd, hPort=6
[1216] 07-23 23:51:09:661: Line down event occurred on port 6
[1216] 07-23 23:51:09:661: FsmDown event received for protocol c021 on port 6
[1216] 07-23 23:51:09:661: RemoveFromTimerQ called portid=28,Id=2,Protocol=c021,EventType=0,fAuth=0
[1216] 07-23 23:51:09:661: FsmThisLayerDown called for protocol = c021, port = 6
[1216] 07-23 23:51:09:661: RemoveFromTimerQ called portid=28,Id=1,Protocol=c223,EventType=0,fAuth=1
[1216] 07-23 23:51:09:661: RemoveFromTimerQ called portid=28,Id=0,Protocol=c029,EventType=0,fAuth=0
[1216] 07-23 23:51:09:661: FsmReset called for protocol = c021, port = 6
[1216] 07-23 23:51:09:661: RemoveFromTimerQ called portid=28,Id=0,Protocol=0,EventType=3,fAuth=0
[1216] 07-23 23:51:09:661: RemoveFromTimerQ called portid=28,Id=0,Protocol=0,EventType=7,fAuth=0
[1216] 07-23 23:51:09:661: RemoveFromTimerQ called portid=28,Id=0,Protocol=0,EventType=2,fAuth=0
[1216] 07-23 23:51:09:661: RemoveFromTimerQ called portid=28,Id=0,Protocol=0,EventType=1,fAuth=0
[1216] 07-23 23:51:09:661: RemoveFromTimerQ called portid=28,Id=0,Protocol=0,EventType=4,fAuth=0
[1216] 07-23 23:51:09:661: RemoveFromTimerQ called portid=28,Id=0,Protocol=c029,EventType=0,fAuth=0
[1216] 07-23 23:51:09:661: LcpEnd
[1216] 07-23 23:51:09:661: Post line down event occurred on port 6
[1216] 07-23 23:51:09:661: NotifyCaller(hPort=6, dwMsgId=23)
[3064] 07-24 00:03:39:314: PppDdmChangeNotification. New flags: 0x80260a
[1216] 07-24 00:03:39:314: Processing change notification event

Event log on DC - Security
====================
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 2004-07-23
Time: 23:49:16
User: NT AUTHORITY\SYSTEM
Computer: DC2
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: myUser
Source Workstation:
Error Code: 0xC000006A

Event log on ISA - Application
Event Type: Warning
Event Source: Microsoft Firewall
Event Category: None
Event ID: 21171
Date: 2004-07-23
Time: 23:49:17
User: N/A
Computer: GW-ISA0
Description:
The VPN connection attempt by user MYDOMAIN\myUser from VPN client IP address x.x.x.x could not be established.
Data: 0000: 21 00 04 c0

Event log on ISA - Security
===========================
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 2004-07-23
Time: 23:49:17
User: NT AUTHORITY\SYSTEM
Computer: GW-ISA0
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: myUser
Domain: MYDOMAIN
Logon Type: 3
Logon Process: IAS
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name:
Caller User Name: GW-ISA0$
Caller Domain: MYDOMAIN
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 972
Transited Services: -
Source Network Address: -
Source Port: -

Event log on ISA - System
=========================
Event Type: Warning
Event Source: RemoteAccess
Event Category: None
Event ID: 20189
Date: 2004-07-23
Time: 23:49:17
User: N/A
Computer: GW-ISA0
Description:
The user myUser connected from x.x.x.x but failed an authentication attempt due to the following reason: Authentication was not successful because an unknown user name or incorrect password was used.

(in reply to kegly911)
Post #: 19
RE: VPN and authentication over PPTP - 25.Jul.2004 4:28:00 PM   
tshinder

 

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Rob,

It looks like VPN-Q is enabled. Is that right?

Also, don't limit VPN access to any specific firewall group -- let all users who can authenticate access.

HTH,
Tom

(in reply to kegly911)
Post #: 20

Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> VPN >> VPN and authentication over PPTP Page: [1] 2   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts