RE: Microsoft IAS Server (RADIUS) policies
Can someone lend a hand here as I've not received any reply yet. Thks.
"Dan" wrote:
> Hi, I have two policies setup in our test IAS Server.
>
> 1. The first policy is for our wireless clients to authenticate to this
> RADIUS server using PEAP-MS-CHAP-V2 throught a wireless AP (access point).
> 2. The second policy is for our VPN users to authenticate to this RADIUS
> server using strongest authentication type and MS-CHAP-V2.
>
> Here is my problem. Wirelss clients worked fine. However, VPN users cannot
> connect. Error msg was that the user does not have permission to dial in. I
> have already checked and users selected have permissions. So I moved the
> second policy (VPN policy) up as the first one and it worked.
> Can someone point out if there is any logic steps I should be aware of when
> I moved the 2nd policy up as the 1st? TIA.
Mark Gamache
07-09-2005, 11:54 PM
you will want to verify how your policies are setup. This is very easy to
do incorrectly. Policies are processed in order and the first connection
request to match all the polices is the only policy used. If a connection
request matches all the polices, then the profile of that policy is checked.
If that matches, then the request can be accepted.
The flow chart here explains well.
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/fc353fbb-4df4-4b36-b14a-20cbbad43494.mspx
What is likely happening to your connection is that in both cases that you
described, the user meets the first policy requirements, but not the profile
requirement. This means that the connection is always denied before the
second policy is reached.
Note that when a connection is rejected, processing stops, when polices
aren't met, the next policy is tried.
Hope that helps.
Cheers,
--
Mark Gamache
Certified Security Solutions
http://www.css-security.com
"Dan" <Dan@discussions.microsoft.com> wrote in message
news:B3FFF2E7-09A9-4229-9EC0-37025FC471D8@microsoft.com...
> Can someone lend a hand here as I've not received any reply yet. Thks.
>
> "Dan" wrote:
>
>> Hi, I have two policies setup in our test IAS Server.
>>
>> 1. The first policy is for our wireless clients to authenticate to this
>> RADIUS server using PEAP-MS-CHAP-V2 throught a wireless AP (access
>> point).
>> 2. The second policy is for our VPN users to authenticate to this RADIUS
>> server using strongest authentication type and MS-CHAP-V2.
>>
>> Here is my problem. Wirelss clients worked fine. However, VPN users
>> cannot
>> connect. Error msg was that the user does not have permission to dial in.
>> I
>> have already checked and users selected have permissions. So I moved the
>> second policy (VPN policy) up as the first one and it worked.
>> Can someone point out if there is any logic steps I should be aware of
>> when
>> I moved the 2nd policy up as the 1st? TIA.
Thanks Mark. I think it is helping. Will have to go back to my test
environment and test out my setup.
"Mark Gamache" wrote:
> you will want to verify how your policies are setup. This is very easy to
> do incorrectly. Policies are processed in order and the first connection
> request to match all the polices is the only policy used. If a connection
> request matches all the polices, then the profile of that policy is checked.
> If that matches, then the request can be accepted.
>
> The flow chart here explains well.
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/fc353fbb-4df4-4b36-b14a-20cbbad43494.mspx
>
> What is likely happening to your connection is that in both cases that you
> described, the user meets the first policy requirements, but not the profile
> requirement. This means that the connection is always denied before the
> second policy is reached.
>
> Note that when a connection is rejected, processing stops, when polices
> aren't met, the next policy is tried.
>
> Hope that helps.
>
> Cheers,
>
> --
> Mark Gamache
> Certified Security Solutions
> http://www.css-security.com
>
>
>
> "Dan" <Dan@discussions.microsoft.com> wrote in message
> news:B3FFF2E7-09A9-4229-9EC0-37025FC471D8@microsoft.com...
> > Can someone lend a hand here as I've not received any reply yet. Thks.
> >
> > "Dan" wrote:
> >
> >> Hi, I have two policies setup in our test IAS Server.
> >>
> >> 1. The first policy is for our wireless clients to authenticate to this
> >> RADIUS server using PEAP-MS-CHAP-V2 throught a wireless AP (access
> >> point).
> >> 2. The second policy is for our VPN users to authenticate to this RADIUS
> >> server using strongest authentication type and MS-CHAP-V2.
> >>
> >> Here is my problem. Wirelss clients worked fine. However, VPN users
> >> cannot
> >> connect. Error msg was that the user does not have permission to dial in.
> >> I
> >> have already checked and users selected have permissions. So I moved the
> >> second policy (VPN policy) up as the first one and it worked.
> >> Can someone point out if there is any logic steps I should be aware of
> >> when
> >> I moved the 2nd policy up as the 1st? TIA.
>
>
>
RE: Microsoft IAS Server (RADIUS) policies