RE: Microsoft IAS Server (RADIUS) policies

RE: Microsoft IAS Server (RADIUS) policies
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
RE: Microsoft IAS Server (RADIUS) policies Dan 06-21-2005
Posted by =?Utf-8?B?RGFu?= on June 21, 2005, 4:49 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Can someone lend a hand here as I've not received any reply yet. Thks.

"Dan" wrote:

> Hi, I have two policies setup in our test IAS Server.
>
> 1. The first policy is for our wireless clients to authenticate to this
> RADIUS server using PEAP-MS-CHAP-V2 throught a wireless AP (access point).
> 2. The second policy is for our VPN users to authenticate to this RADIUS
> server using strongest authentication type and MS-CHAP-V2.
>
> Here is my problem. Wirelss clients worked fine. However, VPN users cannot
> connect. Error msg was that the user does not have permission to dial in. I
> have already checked and users selected have permissions. So I moved the
> second policy (VPN policy) up as the first one and it worked.
> Can someone point out if there is any logic steps I should be aware of when
> I moved the 2nd policy up as the 1st? TIA.

Posted by Mark Gamache on June 21, 2005, 6:35 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
you will want to verify how your policies are setup. This is very easy to
do incorrectly. Policies are processed in order and the first connection
request to match all the polices is the only policy used. If a connection
request matches all the polices, then the profile of that policy is checked.
If that matches, then the request can be accepted.

The flow chart here explains well.
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/fc353fbb-4df4-4b36-b14a-20cbbad43494.mspx

What is likely happening to your connection is that in both cases that you
described, the user meets the first policy requirements, but not the profile
requirement. This means that the connection is always denied before the
second policy is reached.

Note that when a connection is rejected, processing stops, when polices
aren't met, the next policy is tried.

Hope that helps.

Cheers,

--
Mark Gamache
Certified Security Solutions
http://www.css-security.com



> Can someone lend a hand here as I've not received any reply yet. Thks.
>
> "Dan" wrote:
>
>> Hi, I have two policies setup in our test IAS Server.
>>
>> 1. The first policy is for our wireless clients to authenticate to this
>> RADIUS server using PEAP-MS-CHAP-V2 throught a wireless AP (access
>> point).
>> 2. The second policy is for our VPN users to authenticate to this RADIUS
>> server using strongest authentication type and MS-CHAP-V2.
>>
>> Here is my problem. Wirelss clients worked fine. However, VPN users
>> cannot
>> connect. Error msg was that the user does not have permission to dial in.
>> I
>> have already checked and users selected have permissions. So I moved the
>> second policy (VPN policy) up as the first one and it worked.
>> Can someone point out if there is any logic steps I should be aware of
>> when
>> I moved the 2nd policy up as the 1st? TIA.



Similar ThreadsPosted
Re: Dicussion on where RADIUS server should be June 16, 2005, 2:38 pm
Dicussion on where RADIUS server should be June 16, 2005, 12:51 pm
RE: Cannot authenticate to MS IAS (RADIUS) server using Linksys WAP54G June 29, 2005, 11:03 am
RADIUS IAS CRL CHECK August 28, 2008, 3:08 am
Simple RADIUS setup August 30, 2005, 12:37 am
WLAN & Radius Setup October 18, 2005, 11:02 am
Windows Servers as RADIUS clients October 4, 2007, 6:29 am
policies November 13, 2008, 12:59 pm
Microsoft Forefront Security for Exchange Server February 27, 2007, 1:29 pm
Making changes to policies April 13, 2006, 9:21 am

The site map in XML format XML site map

Contact Us | Privacy Policy