Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
SSH and Microsoft's IAS (RADIUS) 2
- Thread starter malshade
- Start date
-
2
- #2
I have this configured and it's quite easy:
router (IOS) config:
aaa new-model
!
radius-server host 10.1.1.1 auth-port 1812 acct-port 1813 key Radius-Key
radius-server host 10.2.2.2 auth-port 1812 acct-port 1813 key Radius-Key
!
aaa group server radius Radius-Servers
server 10.1.1.1 auth-port 1812 acct-port 1813
server 10.2.2.2 auth-port 1812 acct-port 1813
!
aaa authentication login default group Radius-Servers local line
aaa authentication enable default group Radius-Servers enable
aaa authentication dot1x default group Radius-Servers
aaa authorization exec default group Radius-Servers if-authenticated
aaa authorization network default group Radius-Servers
aaa accounting dot1x default start-stop group Radius-Servers
aaa accounting exec default start-stop group Radius-Servers
enable secret enable-secret
!
username admin password local-account
!
line vty o 4
login authentication default !This doesn't appear in the config but is here to show the line will use the above
On the IAS Server you need to add each of the Radius Clients (all your Cisco devices you want to control login via Radius.....). Set the authentication key (above would be Radius-Key) and set the Vendor to Cisco. This can take quite a while if you have lots of devices you want to protect. On 2003 Enterprtise Server you can add a range of devices with a subnet - 172.16.0.0/16 would mean all devices with addresses beginning 172.16.x.x. This isn't available on 2003 Standard or Windows 2000.
You then have to create a Remote Access Policy - the default one will work but I like to be more granular as you can use IAS to authenticate 802.1x Wireless (and Wired) clients as well and you would want a different policy for them. I currently have a 'Cisco Terminal Access' policy that checks for membership of a Windows Group (I have added a Cisco Terminal Access Group and made users who I allow access to the routers members of) and also checks the 'NAS-Port-Type' of either 'Async (Modem)' or 'Virtual (VPN)'. The Async is what IOS Sends when you access a console or direct terminal and Virtual is sent when you telnet or SSH. The profile allows only PAP/CHAP Authentication as this is what is sent from the IOS device to the Radius Server (again multiple policies allow you to enable on EAP for other authentications i.e. Wireless). Under the Advanced Tab I have only one attribute - 'Service Type' and this is set to 'Login'.
In addition I have A Wireless Policy that checks against a Windows Group of 'Wireless Users' and a 'NAS-Port-Type' of 'Wireless - IEEE 802.11'. Authentication for this is set to only allow EAP (I have PEAP enabled), and the 'Service-Type' attribute set to 'Framed'.
I have found this works well, the only draw back is the Enable Secret/Password. There is no way you can add an Enable Password to a Windows User Account so what IOS sends when you attempt to enter enable (level 15 by default) is a user account of '$enab15$'. You can create a User in Active Directory with this username plus a password; you then enter this password when you attempt 'enable'. This leaves one security hole - i.e. you can simply connect to any IOS device with the username '$enab15$' and the password, so if you have a disgruntled employee they can 'mask' thier access by not using thier own username. I find it works well though and if you disable a User account because of a potential security risk then you also need to change the $enab15$ account password.
One final thing is you need to enable remote access for each of the clients in active directory.
HTH
Andy
router (IOS) config:
aaa new-model
!
radius-server host 10.1.1.1 auth-port 1812 acct-port 1813 key Radius-Key
radius-server host 10.2.2.2 auth-port 1812 acct-port 1813 key Radius-Key
!
aaa group server radius Radius-Servers
server 10.1.1.1 auth-port 1812 acct-port 1813
server 10.2.2.2 auth-port 1812 acct-port 1813
!
aaa authentication login default group Radius-Servers local line
aaa authentication enable default group Radius-Servers enable
aaa authentication dot1x default group Radius-Servers
aaa authorization exec default group Radius-Servers if-authenticated
aaa authorization network default group Radius-Servers
aaa accounting dot1x default start-stop group Radius-Servers
aaa accounting exec default start-stop group Radius-Servers
enable secret enable-secret
!
username admin password local-account
!
line vty o 4
login authentication default !This doesn't appear in the config but is here to show the line will use the above
On the IAS Server you need to add each of the Radius Clients (all your Cisco devices you want to control login via Radius.....). Set the authentication key (above would be Radius-Key) and set the Vendor to Cisco. This can take quite a while if you have lots of devices you want to protect. On 2003 Enterprtise Server you can add a range of devices with a subnet - 172.16.0.0/16 would mean all devices with addresses beginning 172.16.x.x. This isn't available on 2003 Standard or Windows 2000.
You then have to create a Remote Access Policy - the default one will work but I like to be more granular as you can use IAS to authenticate 802.1x Wireless (and Wired) clients as well and you would want a different policy for them. I currently have a 'Cisco Terminal Access' policy that checks for membership of a Windows Group (I have added a Cisco Terminal Access Group and made users who I allow access to the routers members of) and also checks the 'NAS-Port-Type' of either 'Async (Modem)' or 'Virtual (VPN)'. The Async is what IOS Sends when you access a console or direct terminal and Virtual is sent when you telnet or SSH. The profile allows only PAP/CHAP Authentication as this is what is sent from the IOS device to the Radius Server (again multiple policies allow you to enable on EAP for other authentications i.e. Wireless). Under the Advanced Tab I have only one attribute - 'Service Type' and this is set to 'Login'.
In addition I have A Wireless Policy that checks against a Windows Group of 'Wireless Users' and a 'NAS-Port-Type' of 'Wireless - IEEE 802.11'. Authentication for this is set to only allow EAP (I have PEAP enabled), and the 'Service-Type' attribute set to 'Framed'.
I have found this works well, the only draw back is the Enable Secret/Password. There is no way you can add an Enable Password to a Windows User Account so what IOS sends when you attempt to enter enable (level 15 by default) is a user account of '$enab15$'. You can create a User in Active Directory with this username plus a password; you then enter this password when you attempt 'enable'. This leaves one security hole - i.e. you can simply connect to any IOS device with the username '$enab15$' and the password, so if you have a disgruntled employee they can 'mask' thier access by not using thier own username. I find it works well though and if you disable a User account because of a potential security risk then you also need to change the $enab15$ account password.
One final thing is you need to enable remote access for each of the clients in active directory.
HTH
Andy
- Thread starter
- #3
Sorry I cut and pasted from a 2950 switch - I have been testing 802.1x EAPoL and this is purely for that. This will not be relevent for anything other than LAN switches (Catalyst 2950 & up).
802.1x was originally for Wireless Ethernet but was quickly adopted for Wired-Ethernet as well.
HTH
Andy
802.1x was originally for Wireless Ethernet but was quickly adopted for Wired-Ethernet as well.
HTH
Andy
- Thread starter
- #5
Okay. Now I've really done it. I was partially done w/ config and lost my session due to answering end-user help requests, errrrr. I'm kinda locked out. I can now access my router remotely using the $enab15$ user passwd. However, I cannot get into enable mode! Dammit. I didn't change the enable password but for some reason I keep getting authentication failures. Flame the end-user! Help? Suggestions?
- Thread starter
- #7
- Thread starter
- #8
AH-HA!
When attempting to submit the enable passwd I noticed that the first submittal takes quite awhile to return the result while the 2nd attempt does not. I was able to get into enable mode finally but only after failing the first enable password attempt on purpose then submitting the enable password on the 2nd attempt the router gives you. Seems to me that the router is checking the 1st password submittal w/ the RADIUS server and the 2nd attempt it looks to its own config?? Very odd, but good to know.
When attempting to submit the enable passwd I noticed that the first submittal takes quite awhile to return the result while the 2nd attempt does not. I was able to get into enable mode finally but only after failing the first enable password attempt on purpose then submitting the enable password on the 2nd attempt the router gives you. Seems to me that the router is checking the 1st password submittal w/ the RADIUS server and the 2nd attempt it looks to its own config?? Very odd, but good to know.
Hi
The command:
aaa authentication login default group Radius-Servers local line
Means for any line configured with the login 'default' it will try the group 'Radius-Servers', if this is unsucessful (i.e. the Server doesn't respond, NOT the server denies the account/password) then try 'local' (users configured globally on the router with 'username admin password cisco', failing that (i.e. no users are configured) then use the 'line' password.
If you simply had a single authenticator listed:
aaa authentication login default group Radius-Servers
Then it would only try that and not fallback to any other authentication method. The additional methods are there as a fallback option in case the Radius server is down.
HTH
Andy
The command:
aaa authentication login default group Radius-Servers local line
Means for any line configured with the login 'default' it will try the group 'Radius-Servers', if this is unsucessful (i.e. the Server doesn't respond, NOT the server denies the account/password) then try 'local' (users configured globally on the router with 'username admin password cisco', failing that (i.e. no users are configured) then use the 'line' password.
If you simply had a single authenticator listed:
aaa authentication login default group Radius-Servers
Then it would only try that and not fallback to any other authentication method. The additional methods are there as a fallback option in case the Radius server is down.
HTH
Andy
I had to change one line around. I'm working with a Cisco 3750 running IOS 12.1(14r)EA1a
The problem I ran into was that I could never login as a local user. The Radius authentication would fail and it would never try the local database. I had to rearrange the local and the Radius-Servers to get this to work for either local or radius accounts as demonstrated below.
aaa authentication login default local group Radius-Servers
Was this an oversight on your part or am I doing something wrong? For instance, in your example would local account have been used if there was no answer/reply from the Radius server? Such as both of the Radius servers being down.
Otherwise this has truly been an excellent write-up. Thank you very much. The only thing that would have been nice to add is an explanation of what each line’s function is.
The problem I ran into was that I could never login as a local user. The Radius authentication would fail and it would never try the local database. I had to rearrange the local and the Radius-Servers to get this to work for either local or radius accounts as demonstrated below.
aaa authentication login default local group Radius-Servers
Was this an oversight on your part or am I doing something wrong? For instance, in your example would local account have been used if there was no answer/reply from the Radius server? Such as both of the Radius servers being down.
Otherwise this has truly been an excellent write-up. Thank you very much. The only thing that would have been nice to add is an explanation of what each line’s function is.
I think you are doing something wrong. The list represents the order that the switch will try to authenticate users. With it configured with 'local' first it will attempt to authenticate against locally configured users before trying the Radius-Servers group. As I said previously if the Radius Server responds but says the user is not granted access the switch will not attempt to the next authentication method. If the Radius Server doesn't respond (i.e. it is shut down or the Radius service isn't started) then it will attempt the next authentication method.
!This turns on Authentication, Authorisation & Accounting
aaa new-model
!
!These 2 lines add the Radius Servers to global config
radius-server host 10.1.1.1 auth-port 1812 acct-port 1813 key Radius-Key
radius-server host 10.2.2.2 auth-port 1812 acct-port 1813 key Radius-Key
!
!This creates a unique group called 'Radius-Servers' that can be referenced by the aaa commands below
aaa group server radius Radius-Servers
server 10.1.1.1 auth-port 1812 acct-port 1813
server 10.2.2.2 auth-port 1812 acct-port 1813
!
!This sets the default login authentication to use the Group 'Radius-Servers' first, if none of the servers respond then it will try any locally configured users, if no users are configured then it will accept the line password
aaa authentication login default group Radius-Servers local line
!This sets the enable secret/password to attempt Radius followed by the local enable password/secret
aaa authentication enable default group Radius-Servers enable
!This is specifically for 802.1x port authentication
aaa authentication dot1x default group Radius-Servers
! exec authorisation is what commands are allowed once a user is logged in
aaa authorization exec default group Radius-Servers if-authenticated
!This is used for the 802.1x stuff on a switch but if you are using this on a router and have PPP users connecting (network access) then this is for that
aaa authorization network default group Radius-Servers
!This makes the switch send start & stop Radius Accounting messages for 802.1x connections to the Radius Servers
aaa accounting dot1x default start-stop group Radius-Servers
!
!This makes the switch send start & stop Radius Accounting messages for exec connections to the Radius Servers
aaa accounting exec default start-stop group Radius-Servers
!This sets the local enable secret
enable secret enable-secret
!
!This creates a local user on the switch to be used as a fallback as above
username admin password local-account
!
!This sets the VTY lines to use the default login authentication method (created above with aaa authentication login default ...)
line vty 0 4
login authentication default
You should see messages logged in the Windows System Event Viewer when users connect, IAS also creates log files in
'%systemroot%\system32\LogFiles\'
HTH
Andy
!This turns on Authentication, Authorisation & Accounting
aaa new-model
!
!These 2 lines add the Radius Servers to global config
radius-server host 10.1.1.1 auth-port 1812 acct-port 1813 key Radius-Key
radius-server host 10.2.2.2 auth-port 1812 acct-port 1813 key Radius-Key
!
!This creates a unique group called 'Radius-Servers' that can be referenced by the aaa commands below
aaa group server radius Radius-Servers
server 10.1.1.1 auth-port 1812 acct-port 1813
server 10.2.2.2 auth-port 1812 acct-port 1813
!
!This sets the default login authentication to use the Group 'Radius-Servers' first, if none of the servers respond then it will try any locally configured users, if no users are configured then it will accept the line password
aaa authentication login default group Radius-Servers local line
!This sets the enable secret/password to attempt Radius followed by the local enable password/secret
aaa authentication enable default group Radius-Servers enable
!This is specifically for 802.1x port authentication
aaa authentication dot1x default group Radius-Servers
! exec authorisation is what commands are allowed once a user is logged in
aaa authorization exec default group Radius-Servers if-authenticated
!This is used for the 802.1x stuff on a switch but if you are using this on a router and have PPP users connecting (network access) then this is for that
aaa authorization network default group Radius-Servers
!This makes the switch send start & stop Radius Accounting messages for 802.1x connections to the Radius Servers
aaa accounting dot1x default start-stop group Radius-Servers
!
!This makes the switch send start & stop Radius Accounting messages for exec connections to the Radius Servers
aaa accounting exec default start-stop group Radius-Servers
!This sets the local enable secret
enable secret enable-secret
!
!This creates a local user on the switch to be used as a fallback as above
username admin password local-account
!
!This sets the VTY lines to use the default login authentication method (created above with aaa authentication login default ...)
line vty 0 4
login authentication default
You should see messages logged in the Windows System Event Viewer when users connect, IAS also creates log files in
'%systemroot%\system32\LogFiles\'
HTH
Andy
- Thread starter
- #12
I was having some routing issues and got those fixed. Now I've got some activity logged but who the H3LL knows what this means?:
10.0.0.1,user1,10/26/2005,11:34:22,IAS,server,5,67,61,5,31,192.168.118.35,4,10.0.0.1,4108,10.0.0.1,4116,0,4128,WTP Router (Serial Int),4129,domain\user1,4130,domain\user1,4127,1,25,311 1 10.1.1.1 10/11/2005 18:44:48 10,4136,1,4142,0
10.0.0.1,user1,10/26/2005,11:34:22,IAS,server,25,311 1 10.1.1.1 10/11/2005 18:44:48 10,4127,1,4130,domain\user1,4129,domain\user1,4128,WTP Router (Serial Int),4108,10.0.0.1,4116,0,4136,3,4142,16
10.0.0.1,user1,10/26/2005,11:34:27,IAS,server,5,67,61,5,31,192.168.118.35,4,10.0.0.1,4108,10.0.0.1,4116,0,4128,WTP Router (Serial Int),4129,domain\user1,4130,domain\user1,4127,1,25,311 1 10.1.1.1 10/11/2005 18:44:48 11,4136,1,4142,0
10.0.0.1,user1,10/26/2005,11:34:27,IAS,server,25,311 1 10.1.1.1 10/11/2005 18:44:48 11,4127,1,4130,domain\user1,4129,domain\user1,4128,WTP Router (Serial Int),4108,10.0.0.1,4116,0,4136,3,4142,16
10.0.0.1,user1,10/26/2005,11:34:32,IAS,server,5,67,61,5,31,192.168.118.35,4,10.0.0.1,4108,10.0.0.1,4116,0,4128,WTP Router (Serial Int),4129,domain\user1,4130,domain\user1,4127,1,25,311 1 10.1.1.1 10/11/2005 18:44:48 12,4136,1,4142,0
10.0.0.1,user1,10/26/2005,11:34:32,IAS,server,25,311 1 10.1.1.1 10/11/2005 18:44:48 12,4127,1,4130,domain\user1,4129,domain\user1,4128,WTP Router (Serial Int),4108,10.0.0.1,4116,0,4136,3,4142,16
10.0.0.1,user1,10/26/2005,11:34:37,IAS,server,5,67,61,5,31,192.168.118.35,4,10.0.0.1,4108,10.0.0.1,4116,0,4128,WTP Router (Serial Int),4129,domain\user1,4130,domain\user1,4127,1,25,311 1 10.1.1.1 10/11/2005 18:44:48 13,4136,1,4142,0
10.0.0.1,user1,10/26/2005,11:34:37,IAS,server,25,311 1 10.1.1.1 10/11/2005 18:44:48 13,4127,1,4130,domain\user1,4129,domain\user1,4128,WTP Router (Serial Int),4108,10.0.0.1,4116,0,4136,3,4142,16
10.0.0.1,user1,10/26/2005,12:08:44,IAS,server,5,66,61,5,31,10.1.1.1,4,10.0.0.1,4108,10.0.0.1,4116,0,4128,WTP Router (Serial Int),4129,domain\user1,4130,domain\user1,4127,1,25,311 1 10.1.1.1 10/11/2005 18:44:48 14,4136,1,4142,0
10.0.0.1,user1,10/26/2005,12:08:44,IAS,server,25,311 1 10.1.1.1 10/11/2005 18:44:48 14,4127,1,4130,domain\user1,4129,domain\user1,4128,WTP Router (Serial Int),4108,10.0.0.1,4116,0,4136,3,4142,16
10.0.0.1,user1,10/26/2005,12:08:49,IAS,server,5,66,61,5,31,10.1.1.1,4,10.0.0.1,4108,10.0.0.1,4116,0,4128,WTP Router (Serial Int),4129,domain\user1,4130,domain\user1,4127,1,25,311 1 10.1.1.1 10/11/2005 18:44:48 15,4136,1,4142,0
10.0.0.1,user1,10/26/2005,12:08:49,IAS,server,25,311 1 10.1.1.1 10/11/2005 18:44:48 15,4127,1,4130,domain\user1,4129,domain\user1,4128,WTP Router (Serial Int),4108,10.0.0.1,4116,0,4136,3,4142,16
10.0.0.1,user1,10/26/2005,12:08:54,IAS,server,5,66,61,5,31,10.1.1.1,4,10.0.0.1,4108,10.0.0.1,4116,0,4128,WTP Router (Serial Int),4129,domain\user1,4130,domain\user1,4127,1,25,311 1 10.1.1.1 10/11/2005 18:44:48 16,4136,1,4142,0
10.0.0.1,user1,10/26/2005,12:08:54,IAS,server,25,311 1 10.1.1.1 10/11/2005 18:44:48 16,4127,1,4130,domain\user1,4129,domain\user1,4128,WTP Router (Serial Int),4108,10.0.0.1,4116,0,4136,3,4142,16
10.0.0.1,user1,10/26/2005,12:08:59,IAS,server,5,66,61,5,31,10.1.1.1,4,10.0.0.1,4108,10.0.0.1,4116,0,4128,WTP Router (Serial Int),4129,domain\user1,4130,domain\user1,4127,1,25,311 1 10.1.1.1 10/11/2005 18:44:48 17,4136,1,4142,0
10.0.0.1,user1,10/26/2005,12:08:59,IAS,server,25,311 1 10.1.1.1 10/11/2005 18:44:48 17,4127,1,4130,domain\user1,4129,domain\user1,4128,WTP Router (Serial Int),4108,10.0.0.1,4116,0,4136,3,4142,16
The first auth requests are timing out and the second attempt works because the router isn't asking the IAS server. Now what?
10.0.0.1,user1,10/26/2005,11:34:22,IAS,server,5,67,61,5,31,192.168.118.35,4,10.0.0.1,4108,10.0.0.1,4116,0,4128,WTP Router (Serial Int),4129,domain\user1,4130,domain\user1,4127,1,25,311 1 10.1.1.1 10/11/2005 18:44:48 10,4136,1,4142,0
10.0.0.1,user1,10/26/2005,11:34:22,IAS,server,25,311 1 10.1.1.1 10/11/2005 18:44:48 10,4127,1,4130,domain\user1,4129,domain\user1,4128,WTP Router (Serial Int),4108,10.0.0.1,4116,0,4136,3,4142,16
10.0.0.1,user1,10/26/2005,11:34:27,IAS,server,5,67,61,5,31,192.168.118.35,4,10.0.0.1,4108,10.0.0.1,4116,0,4128,WTP Router (Serial Int),4129,domain\user1,4130,domain\user1,4127,1,25,311 1 10.1.1.1 10/11/2005 18:44:48 11,4136,1,4142,0
10.0.0.1,user1,10/26/2005,11:34:27,IAS,server,25,311 1 10.1.1.1 10/11/2005 18:44:48 11,4127,1,4130,domain\user1,4129,domain\user1,4128,WTP Router (Serial Int),4108,10.0.0.1,4116,0,4136,3,4142,16
10.0.0.1,user1,10/26/2005,11:34:32,IAS,server,5,67,61,5,31,192.168.118.35,4,10.0.0.1,4108,10.0.0.1,4116,0,4128,WTP Router (Serial Int),4129,domain\user1,4130,domain\user1,4127,1,25,311 1 10.1.1.1 10/11/2005 18:44:48 12,4136,1,4142,0
10.0.0.1,user1,10/26/2005,11:34:32,IAS,server,25,311 1 10.1.1.1 10/11/2005 18:44:48 12,4127,1,4130,domain\user1,4129,domain\user1,4128,WTP Router (Serial Int),4108,10.0.0.1,4116,0,4136,3,4142,16
10.0.0.1,user1,10/26/2005,11:34:37,IAS,server,5,67,61,5,31,192.168.118.35,4,10.0.0.1,4108,10.0.0.1,4116,0,4128,WTP Router (Serial Int),4129,domain\user1,4130,domain\user1,4127,1,25,311 1 10.1.1.1 10/11/2005 18:44:48 13,4136,1,4142,0
10.0.0.1,user1,10/26/2005,11:34:37,IAS,server,25,311 1 10.1.1.1 10/11/2005 18:44:48 13,4127,1,4130,domain\user1,4129,domain\user1,4128,WTP Router (Serial Int),4108,10.0.0.1,4116,0,4136,3,4142,16
10.0.0.1,user1,10/26/2005,12:08:44,IAS,server,5,66,61,5,31,10.1.1.1,4,10.0.0.1,4108,10.0.0.1,4116,0,4128,WTP Router (Serial Int),4129,domain\user1,4130,domain\user1,4127,1,25,311 1 10.1.1.1 10/11/2005 18:44:48 14,4136,1,4142,0
10.0.0.1,user1,10/26/2005,12:08:44,IAS,server,25,311 1 10.1.1.1 10/11/2005 18:44:48 14,4127,1,4130,domain\user1,4129,domain\user1,4128,WTP Router (Serial Int),4108,10.0.0.1,4116,0,4136,3,4142,16
10.0.0.1,user1,10/26/2005,12:08:49,IAS,server,5,66,61,5,31,10.1.1.1,4,10.0.0.1,4108,10.0.0.1,4116,0,4128,WTP Router (Serial Int),4129,domain\user1,4130,domain\user1,4127,1,25,311 1 10.1.1.1 10/11/2005 18:44:48 15,4136,1,4142,0
10.0.0.1,user1,10/26/2005,12:08:49,IAS,server,25,311 1 10.1.1.1 10/11/2005 18:44:48 15,4127,1,4130,domain\user1,4129,domain\user1,4128,WTP Router (Serial Int),4108,10.0.0.1,4116,0,4136,3,4142,16
10.0.0.1,user1,10/26/2005,12:08:54,IAS,server,5,66,61,5,31,10.1.1.1,4,10.0.0.1,4108,10.0.0.1,4116,0,4128,WTP Router (Serial Int),4129,domain\user1,4130,domain\user1,4127,1,25,311 1 10.1.1.1 10/11/2005 18:44:48 16,4136,1,4142,0
10.0.0.1,user1,10/26/2005,12:08:54,IAS,server,25,311 1 10.1.1.1 10/11/2005 18:44:48 16,4127,1,4130,domain\user1,4129,domain\user1,4128,WTP Router (Serial Int),4108,10.0.0.1,4116,0,4136,3,4142,16
10.0.0.1,user1,10/26/2005,12:08:59,IAS,server,5,66,61,5,31,10.1.1.1,4,10.0.0.1,4108,10.0.0.1,4116,0,4128,WTP Router (Serial Int),4129,domain\user1,4130,domain\user1,4127,1,25,311 1 10.1.1.1 10/11/2005 18:44:48 17,4136,1,4142,0
10.0.0.1,user1,10/26/2005,12:08:59,IAS,server,25,311 1 10.1.1.1 10/11/2005 18:44:48 17,4127,1,4130,domain\user1,4129,domain\user1,4128,WTP Router (Serial Int),4108,10.0.0.1,4116,0,4136,3,4142,16
The first auth requests are timing out and the second attempt works because the router isn't asking the IAS server. Now what?
What are you seeing in the Windows System Event Viewer? IAS should log all failed events by default, you can enable successful events by opening the IAS MMC, right clicking 'Internet Authentication Service (local)', select properties and make sure 'Rejected' and 'Sucessful' authentication requests are ticked.
I have just looked a t a log file my ISA server saved in '%systemroot%\system32\LogFiles\' and there is a format to it, have a look on Microsofts website for the exact format. My logfiles are slightly different so it is a bit difficult to compare (I have the logfile set to database compatible).
Andy
I have just looked a t a log file my ISA server saved in '%systemroot%\system32\LogFiles\' and there is a format to it, have a look on Microsofts website for the exact format. My logfiles are slightly different so it is a bit difficult to compare (I have the logfile set to database compatible).
Andy
- Thread starter
- #14
I changed my log settings to match yours. Here is the output from the attempts this morning:
"SERVER","IAS",10/27/2005,08:31:17,1,"user","DOMAIN\user",,"10.0.0.35",,,,"10.1.1.2",66,0,"10.1.1.2","Cisco Router (Serial Int)",,,5,,,,1,,0,"311 1 10.0.0.23 10/11/2005 18:44:48 49",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
"SERVER","IAS",10/27/2005,08:31:17,3,,"DOMAIN\user",,,,,,,,0,"10.1.1.2","Cisco Router (Serial Int)",,,,,,,1,,16,"311 1 10.0.0.23 10/11/2005 18:44:48 49",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
"SERVER","IAS",10/27/2005,08:31:22,1,"user","DOMAIN\user",,"10.0.0.35",,,,"10.1.1.2",66,0,"10.1.1.2","Cisco Router (Serial Int)",,,5,,,,1,,0,"311 1 10.0.0.23 10/11/2005 18:44:48 50",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
"SERVER","IAS",10/27/2005,08:31:22,3,,"DOMAIN\user",,,,,,,,0,"10.1.1.2","Cisco Router (Serial Int)",,,,,,,1,,16,"311 1 10.0.0.23 10/11/2005 18:44:48 50",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
"SERVER","IAS",10/27/2005,08:31:27,1,"user","DOMAIN\user",,"10.0.0.35",,,,"10.1.1.2",66,0,"10.1.1.2","Cisco Router (Serial Int)",,,5,,,,1,,0,"311 1 10.0.0.23 10/11/2005 18:44:48 51",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
"SERVER","IAS",10/27/2005,08:31:27,3,,"DOMAIN\user",,,,,,,,0,"10.1.1.2","Cisco Router (Serial Int)",,,,,,,1,,16,"311 1 10.0.0.23 10/11/2005 18:44:48 51",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
"SERVER","IAS",10/27/2005,08:31:39,1,"user","DOMAIN\user",,"10.0.0.35",,,,"10.1.1.2",66,0,"10.1.1.2","Cisco Router (Serial Int)",,,5,,,5,1,,0,"311 1 10.0.0.23 10/11/2005 18:44:48 52",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
"SERVER","IAS",10/27/2005,08:31:39,3,,"DOMAIN\user",,,,,,,,0,"10.1.1.2","Cisco Router (Serial Int)",,,,,,,1,,16,"311 1 10.0.0.23 10/11/2005 18:44:48 52",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
"SERVER","IAS",10/27/2005,08:31:17,1,"user","DOMAIN\user",,"10.0.0.35",,,,"10.1.1.2",66,0,"10.1.1.2","Cisco Router (Serial Int)",,,5,,,,1,,0,"311 1 10.0.0.23 10/11/2005 18:44:48 49",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
"SERVER","IAS",10/27/2005,08:31:17,3,,"DOMAIN\user",,,,,,,,0,"10.1.1.2","Cisco Router (Serial Int)",,,,,,,1,,16,"311 1 10.0.0.23 10/11/2005 18:44:48 49",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
"SERVER","IAS",10/27/2005,08:31:22,1,"user","DOMAIN\user",,"10.0.0.35",,,,"10.1.1.2",66,0,"10.1.1.2","Cisco Router (Serial Int)",,,5,,,,1,,0,"311 1 10.0.0.23 10/11/2005 18:44:48 50",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
"SERVER","IAS",10/27/2005,08:31:22,3,,"DOMAIN\user",,,,,,,,0,"10.1.1.2","Cisco Router (Serial Int)",,,,,,,1,,16,"311 1 10.0.0.23 10/11/2005 18:44:48 50",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
"SERVER","IAS",10/27/2005,08:31:27,1,"user","DOMAIN\user",,"10.0.0.35",,,,"10.1.1.2",66,0,"10.1.1.2","Cisco Router (Serial Int)",,,5,,,,1,,0,"311 1 10.0.0.23 10/11/2005 18:44:48 51",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
"SERVER","IAS",10/27/2005,08:31:27,3,,"DOMAIN\user",,,,,,,,0,"10.1.1.2","Cisco Router (Serial Int)",,,,,,,1,,16,"311 1 10.0.0.23 10/11/2005 18:44:48 51",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
"SERVER","IAS",10/27/2005,08:31:39,1,"user","DOMAIN\user",,"10.0.0.35",,,,"10.1.1.2",66,0,"10.1.1.2","Cisco Router (Serial Int)",,,5,,,5,1,,0,"311 1 10.0.0.23 10/11/2005 18:44:48 52",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
"SERVER","IAS",10/27/2005,08:31:39,3,,"DOMAIN\user",,,,,,,,0,"10.1.1.2","Cisco Router (Serial Int)",,,,,,,1,,16,"311 1 10.0.0.23 10/11/2005 18:44:48 52",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
I just compared it to one of my logs and there doesn't seem to be a policy that it is matching against. After the entry Cisco Router (Serial Int), there are several commas and then a 1. Following the 1 in my log file is the name of the remote access policy - i.e. mine says 'Cisco Terminal Access' as I have a policy called Cisco Terminal Access that matches against A Windows Group and the NAS-Port-Type.
HTH
Andy
HTH
Andy
- Thread starter
- #16
I have a policy that matches group membership and my account is a memeber of that group. The policy also matches service type (login) and NAS port type (async or virtual). Maybe the service type is throwing it off, I'll remove that and try again.
Thanks.
Thanks.
- Thread starter
- #17
- Thread starter
- #19
- Status
Similar threads
- Locked
- Question