RAS and eTokens

  • Thread starter Thread starter stan
  • Start date Start date
S

stan

Hello All:

Experiencing an issue trying to implement 2 factor authentication using
etokens. Have the CA set up and the certificate end is fine. The problem
arises trying to authenticate using the usb token. I can connect to the VPN
server but it sits at the verifying username and password screen until it
times out. Disabling the token login and I can vpn just fine.

Did 2 seperate packet captures -

First with tokens enabled and I see LDAP packets being passed and then it
timesout
Second without tokens and I don't see any LDAP packets and the connection is
fine.

Any thoughts on this would be appreciated.
 
Hello All:

Experiencing an issue trying to implement 2 factor authentication using
etokens. Have the CA set up and the certificate end is fine. The problem
arises trying to authenticate using the usb token. I can connect to the VPN
server but it sits at the verifying username and password screen until it
times out. Disabling the token login and I can vpn just fine.

Did 2 seperate packet captures -

First with tokens enabled and I see LDAP packets being passed and then it
timesout
Second without tokens and I don't see any LDAP packets and the connection is
fine.

Any thoughts on this would be appreciated.
Click to expand...

I use eTokens with my RAS (VPN/PPTP).

The first you should check is the properties for the RAS server under
the tab Security.

There you need to activate the authentication method "Extensible
authentication protocol (EAP)".

Then, under your remote access policy you need to select the provider
"Smart Card or other certificate" under Authentication in the profile.

If you haven't issued a certificate for the server, I think you will
be able to ask for one at this point (it's quite a while ago I did
this).

Then you should be set. You will get a question at connect time if you
would like to accept the server certificate.

/Peter
 
Thanks.....I had MSCHAP deselected. With our token you had to first setup
your account without smartcard, set username and password and then select
smartcard authentication.
 
Hi Stan,

Thanks for your posting and thanks for Peter's help. I'm writing to check
if Peter's suggestion helps. Please feel feel free to let us know if you
would like further assistance.

Sincerely,

William Wang
Microsoft Online Support Engineer

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
 
Actually I am still having issues. Using an etoken, I have sert server setup
etc. enrollment station issuing smart card certs. I can apply for and
receive certificates not problem

I create a VPN sonnection and initially select do not use smart card.
Configuser username and password and then select properties...use my smart
card. I can acess my usb token containing my keys but the authentication
times out as the verifying username and passoword. Only event log reads the
authentication did not complete in a timely fashion or something to that
affect.

If i deselect smart card logon and go in straight with username and
password, it connects and authenticates without issue. I'm stumped.
 
Hi Stan,

Thanks for your update. I'd like to disable the firewall on the clients and
servers temporarily to test the problem. Does it make any difference?

Sincerely,

William Wang
Microsoft Online Support Engineer

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
From: "stan" <[email protected]>
References: <#[email protected]>
Click to expand...
<[email protected]>
 
Hi Stan,

I'm just checking to see if disabling the firewall made any difference. If
you have any questions or concerns, please don't hesitate to let us know.

Sincerely,

William Wang
Microsoft Online Support Engineer

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
X-Tomcat-ID: 405066828
References: <#[email protected]>
Click to expand...
<[email protected]>
<#[email protected]>
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
From: (e-mail address removed) (William Wang[MSFT])
Organization: Microsoft
Date: Wed, 24 Mar 2004 13:51:32 GMT
Subject: Re: RAS and etokens
X-Tomcat-NG: microsoft.public.win2000.ras_routing
Message-ID: <[email protected]>
Newsgroups: microsoft.public.win2000.ras_routing
Lines: 145
Path: cpmsftngxa06.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.ras_routing:11458
NNTP-Posting-Host: TOMCATIMPORT1 10.201.218.122

Hi Stan,

Thanks for your update. I'd like to disable the firewall on the clients and
servers temporarily to test the problem. Does it make any difference?

Sincerely,

William Wang
Microsoft Online Support Engineer

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
From: "stan" <[email protected]>
References: <#[email protected]>
Click to expand...
<[email protected]>
Subject: Re: RAS and etokens
Date: Mon, 22 Mar 2004 21:00:42 -0500
Lines: 115
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <#[email protected]>
Newsgroups: microsoft.public.win2000.ras_routing
NNTP-Posting-Host: host-24-225-238-137.patmedia.net 24.225.238.137
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.ras_routing:11419
X-Tomcat-NG: microsoft.public.win2000.ras_routing

Actually I am still having issues. Using an etoken, I have sert server setup
etc. enrollment station issuing smart card certs. I can apply for and
receive certificates not problem

I create a VPN sonnection and initially select do not use smart card.
Configuser username and password and then select properties...use my smart
card. I can acess my usb token containing my keys but the authentication
times out as the verifying username and passoword. Only event log reads the
authentication did not complete in a timely fashion or something to that
affect.

If i deselect smart card logon and go in straight with username and
password, it connects and authenticates without issue. I'm stumped.
Click to expand...
Click to expand...
 
Running a sonicwall which was breaking the GRE packet. They have no
direction option to pass this packet but I worked with their tech support to
resolve the issue. Thanks for the followup. You're looking into my other
issue from another group "domains" realted to this project.

Need to have users login to domain a which hosts the VPN server and access
drives etc in domain b (their home domain) without having to submit username
and password each time the map a drive etc. Have already setup 2way trust to
no avail. Isn't this the whole idea behind trusts?

William Wang said:
Hi Stan,

I'm just checking to see if disabling the firewall made any difference. If
you have any questions or concerns, please don't hesitate to let us know.

Sincerely,

William Wang
Microsoft Online Support Engineer

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.<[email protected]>
<#[email protected]>
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
From: (e-mail address removed) (William Wang[MSFT])
Organization: Microsoft
Date: Wed, 24 Mar 2004 13:51:32 GMT
Subject: Re: RAS and etokens
X-Tomcat-NG: microsoft.public.win2000.ras_routing
Message-ID: <[email protected]>
Newsgroups: microsoft.public.win2000.ras_routing
Lines: 145
Path: cpmsftngxa06.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.ras_routing:11458
NNTP-Posting-Host: TOMCATIMPORT1 10.201.218.122

Hi Stan,

Thanks for your update. I'd like to disable the firewall on the clients and
servers temporarily to test the problem. Does it make any difference?

Sincerely,

William Wang
Microsoft Online Support Engineer

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
From: "stan" <[email protected]>
References: <#[email protected]>
Click to expand...
<[email protected]>
Subject: Re: RAS and etokens
Date: Mon, 22 Mar 2004 21:00:42 -0500
Lines: 115
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <#[email protected]>
Newsgroups: microsoft.public.win2000.ras_routing
NNTP-Posting-Host: host-24-225-238-137.patmedia.net 24.225.238.137
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.ras_routing:11419
X-Tomcat-NG: microsoft.public.win2000.ras_routing

Actually I am still having issues. Using an etoken, I have sert server setup
etc. enrollment station issuing smart card certs. I can apply for and
receive certificates not problem

I create a VPN sonnection and initially select do not use smart card.
Configuser username and password and then select properties...use my smart
card. I can acess my usb token containing my keys but the authentication
times out as the verifying username and passoword. Only event log reads the
authentication did not complete in a timely fashion or something to that
affect.

If i deselect smart card logon and go in straight with username and
password, it connects and authenticates without issue. I'm stumped.


Hi Stan,

Thanks for your posting and thanks for Peter's help. I'm writing to check
if Peter's suggestion helps. Please feel feel free to let us know if you
would like further assistance.

Sincerely,

William Wang
Microsoft Online Support Engineer

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no
rights.
--------------------
From: "stan" <[email protected]>
References: <#[email protected]>
<[email protected]>
Subject: Re: RAS and eTokens
Date: Sun, 21 Mar 2004 15:52:05 -0500
Lines: 50
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <#[email protected]>
Newsgroups: microsoft.public.win2000.ras_routing
NNTP-Posting-Host: host-24-225-238-137.patmedia.net 24.225.238.137
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.ras_routing:11377
X-Tomcat-NG: microsoft.public.win2000.ras_routing

Thanks.....I had MSCHAP deselected. With our token you had to first setup
your account without smartcard, set username and password and then select
smartcard authentication.


Hello All:

Experiencing an issue trying to implement 2 factor authentication
using
etokens. Have the CA set up and the certificate end is fine. The
problem
arises trying to authenticate using the usb token. I can connect to
the
VPN
server but it sits at the verifying username and password screen
until
it
times out. Disabling the token login and I can vpn just fine.

Did 2 seperate packet captures -

First with tokens enabled and I see LDAP packets being passed and then
it
timesout
Second without tokens and I don't see any LDAP packets and the
connection
is
fine.

Any thoughts on this would be appreciated.


I use eTokens with my RAS (VPN/PPTP).

The first you should check is the properties for the RAS server under
the tab Security.

There you need to activate the authentication method "Extensible
authentication protocol (EAP)".

Then, under your remote access policy you need to select the provider
"Smart Card or other certificate" under Authentication in the profile.

If you haven't issued a certificate for the server, I think you will
be able to ask for one at this point (it's quite a while ago I did
this).

Then you should be set. You will get a question at connect time if you
would like to accept the server certificate.

/Peter
Click to expand...
Click to expand...
Click to expand...
 
Hi Stan,

Thanks for letting me know this issue was resolved. Let's follow up the
issue relates to "trust relationships" in the
<microsoft.public.windowsnt.domain> newsgroup.

Sincerely,

William Wang
Microsoft Online Support Engineer

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
From: "stan" <[email protected]>
References: <#[email protected]>
Click to expand...
<[email protected]>
<#[email protected]>
<[email protected]>
<#[email protected]>
Subject: Re: RAS and etokens
Date: Sat, 27 Mar 2004 19:49:04 -0500
Lines: 228
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <[email protected]>
Newsgroups: microsoft.public.win2000.ras_routing
NNTP-Posting-Host: host-24-225-238-137.patmedia.net 24.225.238.137
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09
.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.ras_routing:11558
X-Tomcat-NG: microsoft.public.win2000.ras_routing

Running a sonicwall which was breaking the GRE packet. They have no
direction option to pass this packet but I worked with their tech support to
resolve the issue. Thanks for the followup. You're looking into my other
issue from another group "domains" realted to this project.

Need to have users login to domain a which hosts the VPN server and access
drives etc in domain b (their home domain) without having to submit username
and password each time the map a drive etc. Have already setup 2way trust to
no avail. Isn't this the whole idea behind trusts?

William Wang said:
Hi Stan,

I'm just checking to see if disabling the firewall made any difference. If
you have any questions or concerns, please don't hesitate to let us know.

Sincerely,

William Wang
Microsoft Online Support Engineer

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.<[email protected]>
<#[email protected]>
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
From: (e-mail address removed) (William Wang[MSFT])
Organization: Microsoft
Date: Wed, 24 Mar 2004 13:51:32 GMT
Subject: Re: RAS and etokens
X-Tomcat-NG: microsoft.public.win2000.ras_routing
Message-ID: <[email protected]>
Newsgroups: microsoft.public.win2000.ras_routing
Lines: 145
Path: cpmsftngxa06.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.ras_routing:11458
NNTP-Posting-Host: TOMCATIMPORT1 10.201.218.122

Hi Stan,

Thanks for your update. I'd like to disable the firewall on the clients and
servers temporarily to test the problem. Does it make any difference?

Sincerely,

William Wang
Microsoft Online Support Engineer

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
From: "stan" <[email protected]>
References: <#[email protected]>
<[email protected]>
<#[email protected]>
<[email protected]>
Subject: Re: RAS and etokens
Date: Mon, 22 Mar 2004 21:00:42 -0500
Lines: 115
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <#[email protected]>
Newsgroups: microsoft.public.win2000.ras_routing
NNTP-Posting-Host: host-24-225-238-137.patmedia.net 24.225.238.137
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.ras_routing:11419
X-Tomcat-NG: microsoft.public.win2000.ras_routing

Actually I am still having issues. Using an etoken, I have sert server
setup
etc. enrollment station issuing smart card certs. I can apply for and
receive certificates not problem

I create a VPN sonnection and initially select do not use smart card.
Configuser username and password and then select properties...use my smart
card. I can acess my usb token containing my keys but the authentication
times out as the verifying username and passoword. Only event log reads the
authentication did not complete in a timely fashion or something to that
affect.

If i deselect smart card logon and go in straight with username and
password, it connects and authenticates without issue. I'm stumped.


Hi Stan,

Thanks for your posting and thanks for Peter's help. I'm writing to check
if Peter's suggestion helps. Please feel feel free to let us know if you
would like further assistance.

Sincerely,

William Wang
Microsoft Online Support Engineer

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no
rights.
--------------------
From: "stan" <[email protected]>
References: <#[email protected]>
<[email protected]>
Subject: Re: RAS and eTokens
Date: Sun, 21 Mar 2004 15:52:05 -0500
Lines: 50
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <#[email protected]>
Newsgroups: microsoft.public.win2000.ras_routing
NNTP-Posting-Host: host-24-225-238-137.patmedia.net 24.225.238.137
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.ras_routing:11377
X-Tomcat-NG: microsoft.public.win2000.ras_routing

Thanks.....I had MSCHAP deselected. With our token you had to first
setup
your account without smartcard, set username and password and then
select
smartcard authentication.


Hello All:

Experiencing an issue trying to implement 2 factor authentication
using
etokens. Have the CA set up and the certificate end is fine. The
problem
arises trying to authenticate using the usb token. I can connect to
the
VPN
server but it sits at the verifying username and password screen
until
it
times out. Disabling the token login and I can vpn just fine.

Did 2 seperate packet captures -

First with tokens enabled and I see LDAP packets being passed and
then
it
timesout
Second without tokens and I don't see any LDAP packets and the
connection
is
fine.

Any thoughts on this would be appreciated.


I use eTokens with my RAS (VPN/PPTP).

The first you should check is the properties for the RAS server under
the tab Security.

There you need to activate the authentication method "Extensible
authentication protocol (EAP)".

Then, under your remote access policy you need to select the provider
"Smart Card or other certificate" under Authentication in the profile.

If you haven't issued a certificate for the server, I think you will
be able to ask for one at this point (it's quite a while ago I did
this).

Then you should be set. You will get a question at connect time if you
would like to accept the server certificate.

/Peter
Click to expand...
Click to expand...
Click to expand...
 
Back
Top