We run Cisco VPN and AD and have not seen this issue.
However we did have to update the Cisco IOS to the correct version that
likes RADIUS/IAS and understands MS-CHAPv2. (Can't remember the version -
but if needed I can look it up).
Questions:
1. What is the authentication mechanism set to on the
concentrator? (e.g. RADIUS or NT domain)
2. Are
you using Microsoft IAS with the concentrator?
3. How are you controlling the dial-in privileges on the user
object? Is it by GPO, individually on the user object, and/or by the remote
access policy in IAS?
4. If concentrator set to NT Domain, is the complexity type or
password length of password different between the working and non working
accounts?
5. If
concentrator using RADIUS and IAS, have you looked at the IAS logs? If so, do
the authentication attempts show up?
-Stuart Fuller
State
of Montana
From: Wright, T. MR [mailto:[EMAIL PROTECTED]
Sent: Thursday, September 04, 2003 10:52 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Possibly OT: Cisco VPN and AD
We have an issue
with our VPN concentrator. It seems that it allows some AD users to
authenticate, while others can not. We can find no pattern to explain why
the users that are able to authenticate are allowed to do so and why the users
that can't authenticate can not. An example is that I have two domain
admin acct's, one that is a Service acct. and one that belongs to me. I am
able to authenticate using the service acct. but not my own acct. They are
in the same OU, they have permissions to the same groups etc. The only
thing I see in the event logs upon an authentication failure is a generic
EventID 675 with Pre-authentication failed, with Failure Code 0x18, which
translates to a bad password, but I know this is not the case since I use my
admin account to logon to other resources etc.
Our network guys have been in contact with TAC and they don't seem to
have a clear answer either. They feel it it is something in our GPO.
The thing is our GPO settings are not rocket science. Right now we are
basically just enforcing complex passwords etc. and we're not doing much outside
of that. I was hoping that someone might have had these issues before
and could provide some insight.
Thanks,
-Tim
