Network Login Via VPN Problems

2015 pts.
Tags:
Active Directory
DHCP
DNS
Microsoft Windows
Networking
Networking services
OS: Windows 2000 server w/AD VPN: Microsoft VPN client authenticating against firewall Desktop: Windows XP Pro (have also tried with Windows 2000 Pro) I have set up a VPN account for a user. The VPN authenticates against the firewall (WatchGuard), then the user needs to login to the network using his network credentials (different from the VPN credentials). This user can connect to the firewall and establish a VPN connection. However, when aked for his network credentials, upon enteing them, the network connection is not made. If I login after connecting as the user in question, I am able to successfully login to the network. If I use my VPN credentials, I can login to the network, but cannot log in as the user. When I ook at the firewall logs, the VPN login is captured, but nothing beyond that until the disconnect. I have looked in the Event logs on the AD machines, and do not see the request being denied or even attempted, thogh the final error message will show saying the user does not have permission to login. The VPN part is fine. The VPN is able to get others logged in, but not this one user. We have gone over his account several times, and compared it to thers who hae permission to VPN in. We have found no differences that might account for his being able to login. We are able to login as the user locally, from any workstation in house. We are at a loss as to how to resolve this issue. Any input would be most welcome.

Answer Wiki

Thanks. We'll let you know when a new response is added.

Will your VPN server work as a RADIUS client? We are using a PIX as our VPN server. It asks the RADIUS server, (domain controller), to authenticate the user. By doing this we have a single login after which the user can navigate our internal net.
I’m wondering if your multiple logins are causing the problem.
rt

Discuss This Question: 7  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • TylerG
    Not exactly clear on the setup, but have you enabled dial up permission in Active Directory as well as made the user part of a VPN users group? Just a thought.
    0 pointsBadges:
    report
  • Stevesz
    If the problem were the authentication of the VPN, there might be something to your reasoning. There is no problem authnticating to the tunnel endpoint, The user authenticatres to the tunnel endpoint fine, It is when he authenticates, or attempts to authenticate to the network, there is a problem. I can use the VPN account and authentica to the network myself, and so can another person. None of the other VPN users have reported any problems either. This is why I am leaning toward a permissions problem with AD, but I cannot determine what it may be.His account in AD is setup the same way as the others--there is no VPN group--yet, the login is not accepted. So far as we can tell, it is not out and out rejected either--we could find nothing in the logs that would indicate a problem with his login. At this juncture, I am not even sure it is reaching the AD to login, since he does not get either accepted or flat out rejected. TylerG--we use the Microsoft client for VPN connections. The user fires up the client and it authenticates against the VPN endpoint built into the firewall. Once they hae been authenticated there, they need to authenticate against the network. We use the same username, but different passwords for both steps, one password for the VPN, then another for the network login.
    2,015 pointsBadges:
    report
  • Smfraser
    All of the previous responses is what I would have asked or checked from what little experience I have. However, here is one more that you should check/try as silly as it may sound: 1) Change the user's password for the VPN portion. The old credentials you originally issued may be the problem. Sounds silly but we have come across that here and let me tell you just a simple change in the pw and bingo, they are in. If that doesn't work, upgrade to the latest VPN client. Good luck! SMF
    0 pointsBadges:
    report
  • Spadasoe
    Something similar I have run into is trying to pass a passphrase (password that contains spaces) through a VPN connection
    5,130 pointsBadges:
    report
  • TylerG
    I agree with the above responses as good troubleshooting steps. If you want to try to isolate this as a password issue you could temporarily set both the VPN and Network passwords to something very short and identical. If it works, you can change one of them and see if it continues to work and vice versa. It's not always possible to do this though, especially depending on who the affected user is and your working environment.
    0 pointsBadges:
    report
  • Astronomer
    We had something similar with one of our VPN clients. Everything was fine until one day he couldn't get in any more. We changed the password. That didn't help. I verified from our DMZ that I couldn't get in with his account either. I finally disabled remote access rights, saved, enabled remote access rights, and saved again within active directory. After this he was able to get in. Several months later I had to do the same thing for him. We have no idea why this only affects him. rt
    15 pointsBadges:
    report
  • Stevesz
    The problem has been resolved. The moral has been learned. When you want something done, do it yourself. The person checking the firewall setup did not go deep enough into the set up, and I found today, a I was going through all the steps myself, that the suer had not been made a member of the PPTP group on the firewall. I am going to converse with the vendor why he was able to authenticate and get the prompt to log into the network when he was not a member of the proper group to do so. My thinkin gis that he should not have been abe to, at least, appear, to authenticate to the firewall, and leave me wondering--and possibly others wondering--where the problem lies after the authentication. A good lesson learned once again(grin). Thanks to all for the suggestions and help. Steve//
    2,015 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following