Let’s pretend the couple of hours spent troubleshooting why an otherwise valid Microsoft Windows Active Directory (2003) account wouldn’t authenticate to a Cisco VPN 3000 Concentrator never happened. The VPN 3000 Concentrator log showed the IKE/167 event below which only hints to a username or password issue, and it definitely didn’t seem like there should be any issue with the username (triple-checked) nor the password (quadruple-checked).
50243 02/08/2012 20:30:06.790 SEV=4 IKE/167 RPT=627 x.8.110.209 Group [group] User [user] Remote peer has failed user authentication - check configured username and password
Looking at the ACS log next, the failed authentication revealed the Windows workstation was not allowed. This clue lead back to scrutinizing the user account further in Active Directory — after already resetting the password several times, verifying lock-out status, and confirming “dial-in” permission. Under the Account tab, there’s a button for “Log on to” which sets computer account restrictions. If it’s set to the non-default “All Computers”, then the x-auth is not going to pass and the Cisco VPN client will just reprompt for the username/password combination.
The solution is to create a computer account called CISCO in Active Directory and add that to the user’s account “log on to” restrictions if “All Computers” isn’t acceptable.