topic Re: SSL VPN Authentication in General Topics

SSL VPN Authentication

BBDOmexico — Fri, 25 Jun 2010 16:57:27 GMT

Hi Guys,

I have an issue with the SSL VPN authentication via RADIUS.

I have configured the RADIUS Server with this options:

Name:PANSSL

Address: 10.0.0.8

Vendor Name: RADIUS Standard

The Policy and Connection Type, is as follows:

Name: AccessVPN

Conditions: Windows User Groups, domain\domain_users

Access Permission: Access Granted

Authentication Method: Checked: Microsoft Encrypted Authetication version 2 (MS-CHAP-v2)

User can changed password after it has expired

Microsoft Encrypted Authentication (MS-CHAP)

User can changed password after it has expired

Unencrypted Authentication (PAP, SPAP)

RADIUS Attributes: Framed-Protocol: PPP

Service-type: Framed

I have a Windows Server 2003.

When I try to get access, It gives me the next error: User "domai\domai_user" failed authentication. Reason: User is not in allowlist.

I have modified the allow list, many times, rigth now I have all users in the allowlist, but it is not working.

I am working with a PAN-500, software version: 3.1.2, SSL-VPN Client 1.1.1, Application-Version 192-655, Threat version 192-655, Antivirus 240-279, URL Filtering 3376.

Any help?

Thanks in advance.

Re: SSL VPN Authentication

nrice — Fri, 25 Jun 2010 18:02:11 GMT

Here are a few questions/trouble shooting steps. Are you using a pan-agent? If so, there may be a connectivity issue. The CLI command >show user pan-agent statistics, will help determine that. If using the agent, are the users members of the configured group? Use the CLI command > debug device server dump user-group <group name>. If not using a pan-agent, when editing the allow list, type "all" (minus quotes) in the "Additional Users" box and see if that allows you to authenticate. Beyond that, you may want to contact your support provider.

Re: SSL VPN Authentication

sundbyberg — Thu, 29 Jul 2010 10:58:13 GMT

Late answer, I know. But for the record.

There is no support for ms-chap v2. You have to in the RADIUS server (sorry to say) only use PAP for authentication.

/ Mike

Re: SSL VPN Authentication

BBDOmexico — Fri, 06 Aug 2010 15:25:11 GMT

Hi NRICE,

1.I am using PAN-Agent version 3.1.2

2.The cli command show user.... gives me the next info:

admin@PA-500-BBDO> show user pan-agent statistics

Name IP Address Port Vsys State Users Grps IPs Activity Cnts Link Speed
----------------------------------------------------------------------------------------------------------------------
BBDOAgent 192.168.0.2 3033 vsys1 connected, ok 293 15 130 433 fast

2. I am using the Domain Users group.

3. The cli command debug device server dump.... gives me all the users that belong to the group.

Is there anything else that I need to check or some configuration that I need to add or delete?

Thanks in advance.