Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
RE: VPN and authentication over PPTP
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
RE: VPN and authentication over PPTP - 25.Jul.2004 10:07:00 PM
|
|
|
roblof
Posts: 10
Joined: 24.Jul.2004
Status: offline
|
Hi Tom,
I'm not aware of what 'vpn-q' is. I have used isa's configuration 'wizards' for this setup.
I've tried searching isaserver.org for this topic but w/o success, while googeling revealed that you have had an issue with this feature and was going to document later. No such document has however been found by me.
I have had reoccurring problems with the search feature on isaserver.org, but googeling give me links to the topics in this site. What are the limitations of this site search tool?
Could you please provide me with 'dummy' instructions for allowing all users who can authenticate access the VPN.
Regds,
/--Rob
|
|
|
|
|
RE: VPN and authentication over PPTP - 25.Jul.2004 10:12:00 PM
|
|
|
roblof
Posts: 10
Joined: 24.Jul.2004
Status: offline
|
Hmmm, forget about my search question!
I just found out that this site carries 2 search utilities; one for the site and one for the messageboard.
Somewhat confusing...
/--Rob
|
|
|
|
|
RE: VPN and authentication over PPTP - 25.Jul.2004 10:48:00 PM
|
|
|
roblof
Posts: 10
Joined: 24.Jul.2004
Status: offline
|
Hi Tom,
If vpn-q is quarantine, then it's disabled.
/--Rob
|
|
|
|
|
RE: VPN and authentication over PPTP - 26.Jul.2004 7:26:00 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Rob,
I'd recommend that you crater the box and use the guidelines in the VPN kit over at www.msfirewall.org/isa2004kits.htm
Some of the screenshots are outdated, but the procedures are basically the same.
HTH,
Tom
|
|
|
|
|
RE: VPN and authentication over PPTP - 3.Aug.2004 4:07:00 PM
|
|
|
manus
Posts: 4
Joined: 22.Aug.2002
From: FRANCE
Status: offline
|
I have the same problem with ISA 2000 SP2.
Any solution?
|
|
|
|
|
RE: VPN and authentication over PPTP - 7.Feb.2005 7:23:00 PM
|
|
|
ramship
Posts: 10
Joined: 13.Feb.2002
Status: offline
|
Can you tell what was the solution to the issue discussed here?
http://support.microsoft.com/kb/191854/EN-US/
I have the exact same message on
Windows 2003 O/S
ISA 2004 Standard Edition
ISA Server in Domain
Regular Windows/AD authentication.
|
|
|
|
|
RE: VPN and authentication over PPTP - 8.Feb.2005 1:32:00 AM
|
|
|
andfirth
Posts: 83
Joined: 19.Feb.2004
From: Netherlands
Status: offline
|
Hi thomas I have exactly the same problem. I open a topic on this problem before, but it seems that more people having these problem. I tried many setup with radius, without radius, with local local users ,domain users. When I setup a local vpn server with a a local client ( not on a isa) on a dc everything works fine , authentication works fine, but not in combination with isa server from outside.
Is this an authentication bug microsoft is not aware of or are we to stupid to see the solution?.
It seems that he use the guest account to login, but Iam not using the quest account , because it's disabled , in the log you can see that is he is connecting to the sam database. do you understand this whats goes wrong?
please let me know.
1332] 02-02 02:55:07:915: Setting LM Authentication allowed to FALSE.
[1332] 02-02 02:55:07:915: Initializing LSA/SAM sub-system.
[1332] 02-02 02:55:07:915: Local server: \\HORUS
[1332] 02-02 02:55:07:925: Local account domain: HORUS
[1332] 02-02 02:55:07:925: Product Type: Server
[1332] 02-02 02:55:07:925: Registry override:
[1332] 02-02 02:55:07:925: Role: Domain member
[1332] 02-02 02:55:07:925: Primary domain: HIMALAYA
[1332] 02-02 02:55:07:925: Dns Domain name: breda.nwb
[1332] 02-02 02:55:07:925: Default domain: HIMALAYA
[1332] 02-02 02:55:07:935: Connecting to SAM server on \\anoebis.breda.nwb.
[1332] 02-02 02:55:08:035: Guest account: HIMALAYA\Guest
[1332] 02-02 02:55:08:035: LSA/SAM sub-system initialized successfully.
[1332] 02-02 02:55:08:165: The registry value User Identity Attribute does not exist. Using default 1
[1332] 02-02 02:55:08:165: The registry value Override User-Name does not exist. Using default 0
[1332] 02-02 02:55:08:165: User identity attribute: 1
[1332] 02-02 02:55:08:165: Override User-Name: FALSE
[1332] 02-02 02:55:08:165: Default user identity: <Guest>
[1332] 02-02 02:55:08:165: Loading ExtensionDLLs
[1332] 02-02 02:55:08:175: RegQueryValueExW for ExtensionDLLs failed with error 2.
[1332] 02-02 02:55:08:205: Loading AuthorizationDLLs
[1332] 02-02 02:55:08:205: Loading extension C:\Program Files\Microsoft ISA Server\vpnplgin.dll
[1964] 02-02 02:56:09:795: Invoking AuthorizationDLLs
[1964] 02-02 02:56:09:795: Invoking extension vpnplgin.dll
[1964] 02-02 02:56:09:795: RadiusExtensionProcess2 returned 0
[1960] 02-02 02:56:24:983: Invoking AuthorizationDLLs
[1960] 02-02 02:56:24:983: Invoking extension vpnplgin.dll
[1960] 02-02 02:56:24:983: RadiusExtensionProcess2 returned 0
[1964] 02-02 02:56:39:630: Invoking AuthorizationDLLs
[1964] 02-02 02:56:39:630: Invoking extension vpnplgin.dll
[1964] 02-02 02:56:39:630: RadiusExtensionProcess2 returned 0
[ February 08, 2005, 01:36 AM: Message edited by: Andrew27863 ]
|
|
|
|
|
RE: VPN and authentication over PPTP - 8.Feb.2005 2:00:00 AM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
Andrew27863
The logs show that the ISA component is processing the request - we need the logs from the RADIUS server to see where this is failing.
These entries...
1964] 02-02 02:56:09:795: Invoking extension vpnplgin.dll
[1964] 02-02 02:56:09:795: RadiusExtensionProcess2 returned 0
[1960] 02-02 02:56:24:983: Invoking AuthorizationDLLs
[1960] 02-02 02:56:24:983: Invoking extension vpnplgin.dll
[1960] 02-02 02:56:24:983: RadiusExtensionProcess2 returned 0
[1964] 02-02 02:56:39:630: Invoking AuthorizationDLLs
[1964] 02-02 02:56:39:630: Invoking extension vpnplgin.dll
[1964] 02-02 02:56:39:630: RadiusExtensionProcess2 returned 0
Anytime you have a "0" return code or response, it means the request was processed normally.
C:\>net helpmsg 0
The operation completed successfully.
|
|
|
|
|
RE: VPN and authentication over PPTP - 8.Feb.2005 2:05:00 AM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
roblof - on the domain controller, can you check the reigstry key for LMCompatibilityLevel?
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA - LMCompatibilityLevel
If you applied any security templates on the DC, it can affect whether or not the DC will authenticate the MS-CHAPv2 request. For example, if you set this to 5, then the DC will not accept any requests that use NTLM authentication requests - MS-CHAP and MS-CHAPv2 both use NTLM to hash the password and the DC would deny this hash when ISA/RRAS passed the request up to the DC.
If this doesn't pan out, can you change the ISA config to allow PAP and change the client VPN connection to use PAP and see if you can authenticate successfully this way?
[ February 08, 2005, 02:06 AM: Message edited by: ClintD ]
|
|
|
|
|
RE: VPN and authentication over PPTP - 8.Feb.2005 1:38:00 PM
|
|
|
andfirth
Posts: 83
Joined: 19.Feb.2004
From: Netherlands
Status: offline
|
ok clintd, do you mean the log of the iasrad.log
her I have:
[212] 02-08 02:12:11:214: In correct authenticator in the accounting packet...
[212] 02-08 02:12:11:214: Silently discarding packet received from:192.168.16.3
[3500] 02-08 02:12:16:224: In correct authenticator in the accounting packet...
[3500] 02-08 02:12:16:224: Silently discarding packet received from:192.168.16.3
[3500] 02-08 02:12:21:245: In correct authenticator in the accounting packet...
[3500] 02-08 02:12:21:245: Silently discarding packet received from:192.168.16.3
[212] 02-08 02:17:18:226: In correct authenticator in the accounting packet...
[212] 02-08 02:17:18:226: Silently discarding packet received from:192.168.16.3
[212] 02-08 02:17:23:256: In correct authenticator in the accounting packet...
[212] 02-08 02:17:23:256: Silently discarding packet received from:192.168.16.3
[212] 02-08 02:17:28:276: In correct authenticator in the accounting packet...
[212] 02-08 02:17:28:276: Silently discarding packet received from:192.168.16.3
[212] 02-08 02:18:04:360: Resolved Client:192.168.16.3, to IP address:3232239619l
[212] 02-08 02:18:12:191: Resolved Client:192.168.16.3, to IP address:3232239619l
[264] 02-08 02:20:19:121: In correct authenticator in the accounting packet...
[264] 02-08 02:20:19:121: Silently discarding packet received from:192.168.16.3
[212] 02-08 02:20:24:141: In correct authenticator in the accounting packet...
[212] 02-08 02:20:24:141: Silently discarding packet received from:192.168.16.3
[212] 02-08 02:20:29:161: In correct authenticator in the accounting packet...
[212] 02-08 02:20:29:161: Silently discarding packet received from:192.168.16.3
[212] 02-08 02:21:00:293: Resolved Client:192.168.16.3, to IP address:3232239619l
[212] 02-08 02:21:21:958: Resolved Client:192.168.16.3, to IP address:3232239619l
[212] 02-08 02:22:22:807: Resolved Client:192.168.16.3, to IP address:3232239619l
[212] 02-08 02:22:29:583: Resolved Client:192.168.16.3, to IP address:3232239619l
[212] 02-08 02:23:10:715: Resolved Client:192.168.16.3, to IP address:3232239619l
it seems there is incorrect authenticator in the packet ,so the packet will be discarded. but wat does this means, and where can I look for to change something?
andy
[ February 08, 2005, 02:22 PM: Message edited by: Andrew27863 ]
|
|
|
|
|
RE: VPN and authentication over PPTP - 8.Feb.2005 3:06:00 PM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
Either the shared secret is incorrect or the "Message Authenticator" attribute isn't enabled on the RADIUS client connection object in the IAS console.
|
|
|
|
|
RE: VPN and authentication over PPTP - 8.Feb.2005 3:47:00 PM
|
|
|
andfirth
Posts: 83
Joined: 19.Feb.2004
From: Netherlands
Status: offline
|
ok clint , I checked that already, it was fine, but I delete the radius client , setup again with shared secret that is the same as in radius configuration option, now the log is different, but is was not the key to solution, still same problem. It look likes is not a setup or configuration problem ,but more permanent bug in the authentication part. I,m wondering if somebody on isaserver.org has it working. If you look everytime in direction of misconfiguration and you check al the steps than you came to a point that there nothing to configure anymore. But i refuse to give it up, because it riduculous that microsft brings a product on the markt and this part is not working , I can't imagine.
1676] 02-08 14:42:40:986: Worker thread active:2
[1676] 02-08 14:42:41:036: Worker thread active:2
[264] 02-08 14:42:41:076: Worker Thread exiting as packet processing is not enabled
[208] 02-08 14:42:41:076: Worker Thread exiting as packet processing is not enabled
[1676] 02-08 14:42:41:086: Radius component suspended.
[1676] 02-08 14:42:41:086: Shutting down Radius Component...
[1676] 02-08 14:42:41:666: Radius component shutdown completed
[1704] 02-08 14:45:22:765: Initializing Radius component....
[1704] 02-08 14:45:22:845: Radius component initialized.
[1704] 02-08 14:45:22:845: Suspending Radius component...
[1704] 02-08 14:45:22:845: Worker thread active:2
[220] 02-08 14:45:22:855: Resolved Client:192.168.16.3, to IP address:3232239619l
[220] 02-08 14:45:22:855: Worker Thread exiting as packet processing is not enabled
[220] 02-08 14:45:22:855: Worker Thread exiting as packet processing is not enabled
[1704] 02-08 14:45:22:895: Radius component suspended.
[1704] 02-08 14:45:23:065: Resuming Radius component...
[1704] 02-08 14:45:23:065: RADIUS Server starting to listen on 0.0.0.0:1812
[1704] 02-08 14:45:23:075: RADIUS Server starting to listen on 0.0.0.0:1645
[1704] 02-08 14:45:23:075: RADIUS Server starting to listen on 0.0.0.0:1813
[1704] 02-08 14:45:23:075: RADIUS Server starting to listen on 0.0.0.0:1646
[1704] 02-08 14:45:23:075: Radius componend resumed.
[1704] 02-08 14:54:08:205: Suspending Radius component...
[1704] 02-08 14:54:08:205: Worker thread active:2
[1704] 02-08 14:54:08:255: Worker thread active:2
[1704] 02-08 14:54:08:305: Worker thread active:2
[1704] 02-08 14:54:08:355: Worker thread active:2
[1704] 02-08 14:54:08:405: Worker thread active:2
[248] 02-08 14:54:08:436: Worker Thread exiting as packet processing is not enabled
[252] 02-08 14:54:08:456: Worker Thread exiting as packet processing is not enabled
[1704] 02-08 14:54:08:466: Radius component suspended.
[1704] 02-08 14:54:08:466: Shutting down Radius Component...
[1704] 02-08 14:54:08:486: Radius component shutdown completed
[220] 02-08 15:13:39:411: Resolved Client:192.168.16.3, to IP address:3232239619l
[1736] 02-08 15:13:39:411: Initializing Radius component....
[1736] 02-08 15:13:39:411: Radius component initialized.
[1736] 02-08 15:13:39:411: Suspending Radius component...
[220] 02-08 15:13:39:411: Worker Thread exiting as packet processing is not enabled
[220] 02-08 15:13:39:411: Worker Thread exiting as packet processing is not enabled
[1736] 02-08 15:13:39:411: Radius component suspended.
[1736] 02-08 15:13:39:541: Resuming Radius component...
[1736] 02-08 15:13:39:541: RADIUS Server starting to listen on 0.0.0.0:1812
[1736] 02-08 15:13:39:551: RADIUS Server starting to listen on 0.0.0.0:1645
[1736] 02-08 15:13:39:551: RADIUS Server starting to listen on 0.0.0.0:1813
[1736] 02-08 15:13:39:551: RADIUS Server starting to listen on 0.0.0.0:1646
[1736] 02-08 15:13:39:551: Radius componend resumed.
[3676] 02-08 15:37:19:174: Resolved Client:192.168.16.3, to IP address:3232239619l
[3676] 02-08 15:38:05:866: Resolved Client:192.168.16.3, to IP address:3232239619l
[3676] 02-08 15:39:15:954: Resolved Client:192.168.16.3, to IP address:3232239619l
|
|
|
|
|
RE: VPN and authentication over PPTP - 8.Feb.2005 4:20:00 PM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
If it's a bug in the product, it's a bug that a lot of people haven't encountered - I work in Microsoft's Product Support Services and I have this working in my lab at work and I've walked numerous customers through this setup and it works fine.
Is there anything in the IASSAM log on the RADIUS Server now that the request apears to be processed by the RADIUS Server?
Can you use RASDIAG on the RADIUS Server to capture this problem?
Install the WinXP SP2 Support Tools from here on the RADIUS Server.
When you run RASDIAG, it will launch a command shell and echo that it is preparing Windows XP for RAS diagnostics. After a small delay, the command shell will echo that it is ready for you to reproduce your issue - leave the command shell open for now..
Attempt to connect and after you receive the error, go back to the RASDIAG command shell and press the space bar. This will generate a <timestamp>.RDG file that I'd like for you to send to me.
If you'd like to see the contents of this file, place RASDIAG and the RDG file in the same directory and drag the RDG file onto the RASDIAG.EXE utility - it'll extract and give you network captures from all interfaces on the system and also a RASDIAG.TXT that has the contents of all RAS related logging available on the respective OS.
Please send it to clintdenham at charter dot net
[ February 08, 2005, 04:25 PM: Message edited by: ClintD ]
|
|
|
|
|
RE: VPN and authentication over PPTP - 8.Feb.2005 7:07:00 PM
|
|
|
andfirth
Posts: 83
Joined: 19.Feb.2004
From: Netherlands
Status: offline
|
thanks clint, for the help, so you are working by the source. I was thinking already that it was not a bug, but if you try so many things you going to believe it, anyway thanks for your help sofar, i,ll send you already the rasdiag.rdg file. I will hear from you soon I hope.
Andy
|
|
|
|
|
RE: VPN and authentication over PPTP - 2.Mar.2005 6:06:00 PM
|
|
|
haz87
Posts: 12
Joined: 2.Mar.2005
From: UK
Status: offline
|
Hi All,
Not sure if this will work for everyone, but I had the same problem, with VPN connections denied and "failed to authenticate on port VPN..." errors in the eventlog, but stumbled over a simple solution.
The problem seems to be between ISA2004 and RRAS.
To get it working, I had to:
-In ISA server, alter the number of connections allowed, say from 5 to 10.
-Click apply and accept the message about the system now requiring a reboot
-Reset the number of connections to the original number required.
-Click apply and accept the message about the system now requiring a reboot.
-Reboot the server
-VPN now works!
This problem has usually occurred when restoring an entire config backup from one ISA2004 to another.
|
|
|
|
|
RE: VPN and authentication over PPTP - 4.Mar.2005 2:13:00 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Haz,
Nice tip!
Thanks!
Tom
|
|
|
|
|
RE: VPN and authentication over PPTP - 7.Mar.2005 4:45:00 PM
|
|
|
Guest
|
[QUOTE]If you applied any security templates on the DC, it can affect whether or not the DC will authenticate the MS-CHAPv2 request. For example, if you set this to 5, then the DC will not accept any requests that use NTLM authentication requests - MS-CHAP and MS-CHAPv2 both use NTLM to hash the password and the DC would deny this hash when ISA/RRAS passed the request up to the DC.QUOTE]
I've been wrestling with this for a few days now myself and this was it. We had enabled the Enterprise Client policy on the ISA server (taken from the Windows 2003 hardening guides) which set the NTLM auth level to "send NTLMv2 Respons only\refuse LM" while our domain controllers were set to "Send NTLM Response only". I cleared this up by using RADIUS instead.
|
|
|
|
|
RE: VPN and authentication over PPTP - 8.Mar.2005 3:00:00 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi TJ,
Good one!
Thanks!
Tom
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
