We have a VPN solution comprising the following :-
* Cisco VPN3000 concentrator accepting external connections from corporate laptops with Cisco VPN Client with Aladdin e-Tokens.
* CiscoSecure ACS v3.1 running internally on a Windows 2000 SP4 (patched to Nov 06) member server acting as the authenticating RADIUS server. Server is also the Certificate Authority.
* Two Windows 2003 SP1 (patched to Nov 06) domain controllers running in Native mode but not at 2003 functional level, with AD-integrated DNS.
Until 18th December this setup was working perfectly, no failures, all users able to authenticate happily to the network. Then it suddenly stopped working for the majority of users. We hadn't implemented any patches or made any configuration changes to any of the servers. The errors showing in the ACS Radius logs are :-
AUTH 12/20/2006 08:36:21 I 5094 2632 Worker 0 processing message 10.
AUTH 12/20/2006 08:36:21 I 5081 2632 Start RQ1026, client 2 (127.0.0.1)
AUTH 12/20/2006 08:36:21 I 0276 2632 External DB [NTAuthenDLL.dll]: Starting authentication for user [homers]
AUTH 12/20/2006 08:36:21 I 0276 2632 External DB [NTAuthenDLL.dll]: Attempting NT/2000 authentication
AUTH 12/20/2006 08:36:21 I 0276 2632 External DB [NTAuthenDLL.dll]: NT/2000 authentication SUCCESSFUL (by OURDC1)
AUTH 12/20/2006 08:36:21 I 0276 2632 External DB [NTAuthenDLL.dll]: Obtaining RAS information for user homers from OURDC1
AUTH 12/20/2006 08:36:21 E 0276 2632 External DB [NTAuthenDLL.dll]: RasAdminUserGetInfo returned error 0x5
AUTH 12/20/2006 08:36:21 E 0276 2632 External DB [NTAuthenDLL.dll]: Failed to get RAS information for user homers from OURDC1
AUTH 12/20/2006 08:36:21 I 5081 2632 Done RQ1026, client 2, status -1058
AUTH 12/20/2006 08:36:21 I 5094 2632 Worker 0 processing message 11.
It consistently works for some users, but not others. Their AD accounts have no pattern to them to identify why some are failing, their certificates are all valid, they all have the same GPO profiles and are spread across the OUs. None have recent password changes or group membership changes.
The ACS services are running under the LocalSystem account - I tried changing this to a domain admin-level account and it fails to authenticate at all - the error above seems to imply there are RAS settings for the user, but looking at AD U&C on a DC the Dial-In tab for problem users point to Use Group Policy, and no RAS policy appears to be defined, and changing a user to Always Allow doesn't make any difference.
We've tried rebooting all servers from inside-out and vice versa with no change. We have run DCDIAG on the domain controllers and they are healthy, same with DNS. There are no login issues on the ACS servers, I can log on interactively with a problem user account. Logs show the same error against both DCs.
Unfortunately ACS v3.1 is pretty old and though we're planning to replace it with a Windows 2003 server with latest version of ACS we're not currently able to do this.
Any ideas? Thanks in advance.
Any ideas?
|
