Powered by Squarespace
Popular Categories
Blog Posts
Discussion Activity
Cisco Live 365
« Cisco ASA/PIX Equal Cost Load Balancing (ECLB) Routing | Main | ICS comes with Cisco VPN compatibility [finally] »

Restricted Active Directory Accounts with Cisco VPN 3000 Concentrator 

Let’s pretend the couple of hours spent troubleshooting why an otherwise valid Microsoft Windows Active Directory (2003) account wouldn’t authenticate to a Cisco VPN 3000 Concentrator never happened.   The VPN 3000 Concentrator log showed the IKE/167 event below which only hints to a username or password issue, and it definitely didn’t seem like there should be any issue with the username (triple-checked) nor the password (quadruple-checked).

50243 02/08/2012 20:30:06.790 SEV=4 IKE/167 RPT=627 x.8.110.209 
Group [group] User [user]
Remote peer has failed user authentication -
check configured username and password

Looking at the ACS log next, the failed authentication revealed the Windows workstation was not allowed.  This clue lead back to scrutinizing the user account further in Active Directory — after already resetting the password several times, verifying lock-out status, and confirming “dial-in” permission.  Under the Account tab, there’s a button for “Log on to” which sets computer account restrictions.  If it’s set to the non-default “All Computers”, then the x-auth is not going to pass and the Cisco VPN client will just reprompt for the username/password combination.

The solution is to create a computer account called CISCO in Active Directory and add that to the user’s account “log on to” restrictions if “All Computers” isn’t acceptable.


Reader Comments

There are no comments for this journal entry. To create a new comment, use the form below.

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
All HTML will be escaped. Textile formatting is allowed.