[vpn-help] VPN not working with Radius and windows 2008

Alexis La Goutte alexis.lagoutte at gmail.com
Thu Mar 28 04:09:11 CDT 2013


Hi,

Do you have check your NPS Logs ? (in your Windows 2008 Server ?)

On Mon, Mar 25, 2013 at 4:18 PM, Vipan Kapur <v.kapur at ibtimes.com> wrote:

> Hello,
>
> I am able to ping the Raduis server (Microsoft) from the firewall and able
> to ping the firewall from the Radius server.  When I try to connect using
> an
> AD account, I get the following on the firewall.
>
> 2013-03-25 11:05:15     info    IKE 198.228.194.124: XAuth login failed
> for
> gateway GW-DIALUP-VPN, username r.neal, retry: 0, timeout: 0.
> 2013-03-25 11:05:15     warn    Primary 10.50.100.12, backup1 , and backup2
> servers failed.
> 2013-03-25 11:05:15     warn    Active Server Switchover: New requests for
> Microsoft server will try Primary from now on.
> 2013-03-25 11:05:15     warn    Active Server Switchover: New requests for
> Microsoft server will try Backup2 from now on.
> 2013-03-25 11:05:14     warn    Active Server Switchover: New requests for
> Microsoft server will try Backup1 from now on.
> 2013-03-25 11:05:12     info    IP address 10.50.101.14 is released from
> 0026088ff9ed.
> 2013-03-25 11:05:12     info    IP address 10.50.100.71 is assigned to
> 0026088ff9ed.
> 2013-03-25 11:05:11     info    IP address 10.50.100.71 is assigned to
> 0026088ff9ed.
> 2013-03-25 11:05:08     info    IP address 10.50.101.14 is assigned to
> 0026088ff9ed.
> 2013-03-25 11:05:06     warn    Trying primary server 10.50.100.12.
> 2013-03-25 11:05:03     info    Rejected an IKE packet on ethernet0/2 from
> 198.228.194.124:34633 to 209.66.114.182:4500 with cookies 42a0918ad450522c
> and 10d48403d7ae665b because A Phase 2 packet arrived while XAuth was still
> pending.
> 2013-03-25 11:05:03     info    IKE 198.228.194.124 Phase 1: Completed
> Aggressive mode negotiations with a 28800-second lifetime.
> 2013-03-25 11:05:03     info    IKE 198.228.194.124 Phase 1: Completed for
> user client.corporate.com.
> 2013-03-25 11:05:03     info    IKE<198.228.194.124> Phase 1: IKE responder
> has detected NAT in front of the remote device.
> 2013-03-25 11:05:03     info    IKE<198.228.194.124> Phase 1: IKE responder
> has detected NAT in front of the local device.
> 2013-03-25 11:05:03     info    IKE 198.228.194.124 phase 1:The symmetric
> crypto key has been generated successfully.
> 2013-03-25 11:05:03     info    IKE 198.228.194.124 Phase 1: Responder
> starts AGGRESSIVE mode negotiations.
>
> I am attaching my firewall config as well as the Shrew Client config file.
> I hope someone will be able to assist me resolving the issue.
>
>
>
> -----Original Message-----
> From: vpn-help-bounces at lists.shrew.net
> [mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of Kevin VPN
> Sent: Sunday, March 24, 2013 9:25 PM
> To: vpn-help at lists.shrew.net
> Subject: Re: [vpn-help] VPN not working with Radius and windows 2008
>
> On 02/27/2013 01:11 PM, Vipan Kapur wrote:
> > Hello there!
> >
> > I hope you can help me, I have setup VPN access using the article
> > http://www.shrew.net/support/Howto_Juniper_SSG but I cannot connect
> > using the Radius server.  I can only connect if I create a user
> > account on the firewall, but I don't want to do that for all the users.
> >
> > The firewall shows the following:
> >
> > 2013-02-27 13:04:26   info    IKE 198.228.192.58: XAuth login failed for
> > gateway GW-DIALUP-VPN, username v.kapur, retry: 0, timeout: 0.
> > 2013-02-27 13:04:26   warn    Primary 10.50.100.12, backup1 , and backup2
> > servers failed.
> > 2013-02-27 13:04:26   warn    Active Server Switchover: New requests for
> > Microsoft server will try Primary from now on.
> > 2013-02-27 13:04:26   warn    Active Server Switchover: New requests for
> > Microsoft server will try Backup2 from now on.
> > 2013-02-27 13:04:25   warn    Active Server Switchover: New requests for
> > Microsoft server will try Backup1 from now on.
> > 2013-02-27 13:04:17   warn    Trying primary server 10.50.100.12.
>
> Hi Vipan,
>
> These messages look to me like your Juniper is unable to contact the RADIUS
> server.  I'm assuming "Microsoft server" is your Windows 2008 RADIUS
> server.
>
> If your device is unable to communicate with the RADIUS server, it
> obviously
> would be unable to verify credentials that come from that server.
>
> _______________________________________________
> vpn-help mailing list
> vpn-help at lists.shrew.net
> https://lists.shrew.net/mailman/listinfo/vpn-help
>
> _______________________________________________
> vpn-help mailing list
> vpn-help at lists.shrew.net
> https://lists.shrew.net/mailman/listinfo/vpn-help
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20130328/daac551a/attachment.html>


More information about the vpn-help mailing list