Solved

Radius always responds "Deny"

Posted on 2006-11-15
10
701 Views
Last Modified: 2008-01-09
I'm getting ready to setup a vpn system.  I wanted to make sure that the Windows 2003 IAS service was correctly setup.  I've tried two different radius test software.  "Radius Test 2.4.3" and "NT RadPing 1.5".

I was able to get both to talk to the radius server, although both report Deny or Reject

The username I'm using has "Allow" checked on the dial-in tab.

Output from Radius Test 2.4.3

--------------------2006\11\15 5:50:07 PM Test started  [AuthTest(CHAP)]-------------------------

Info:Sending Access-Request of id 0 to 192.168.5.2:1812

      User-Name = "ray"

      CHAP-Password = 0x00c400755494e1a17dc61ec04adeb06c51

Info: Access-Reject packet from host 192.168.5.2:1812, id=0, length=20



         Total approved auths:  0

           Total denied auths:  1

             Total lost auths:  0

             Total time(secs):  0

--------------------2006\11\15 5:50:07 PM Test finished [AuthTest(CHAP)]-------------------------




0
Comment
Question by:semperfi89
  • 5
  • 5
10 Comments
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 17953645
I would suggest that you change Dial-in setting for user to Control Access through Remote Access Policy and define appropriate policy in IAS console.
0
 

Author Comment

by:semperfi89
ID: 17954963
Control Access through Remote Access Policy is greyed out and not available.

I do have a policy setup in IAS using group membership.  I've created a Group "VPN-Users" and I am a memeber of it.
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 17958000
You can use "Control Access through Remote Access Policy" only if you have native mode (or Domain Functional Level 2000) or DFL 2003. Ypu can raise domain functional level in Active directory users and computers (Active Directory Domain and Trusts). Right click domain and select Raise domain functional level...

Change is irreversible. You don't have any NT4 BDC in your environment? If you have you should not raise domain fuctional level!
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 

Author Comment

by:semperfi89
ID: 17958094
Ok, now that option is enable but still reports deny.
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 17961574
Did you create appropriate policy in your IAS server?  For testing purposes create policy which allows connection for specific group (for example "vpn users")
0
 

Author Comment

by:semperfi89
ID: 17961992
yes, and I'm a member of the group.
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 17963216
What is your error exacty, when you try to connect manually?
0
 

Author Comment

by:semperfi89
ID: 17964282
As listed in my first post...

Info: Access-Reject packet from host 192.168.5.2:1812, id=0, length=20
0
 
LVL 31

Accepted Solution

by:
Toni Uranjek earned 500 total points
ID: 17964604
Is it possible that you set up Windows XP computer as VPN client, create VPN connection and than tell me what is exact error. Did you configure event logging for IAS (http://technet2.microsoft.com/WindowsServer/en/library/ff684a9f-6b2e-4d71-ab06-dd5e312008041033.mspx?mfr=true and http://technet2.microsoft.com/WindowsServer/en/library/66647e61-5d69-4f62-a95c-5a41a13064371033.mspx?mfr=true).
Are there any errors in Event Log?
0
 

Author Comment

by:semperfi89
ID: 17967826
Well it seems that the auth method that I was using wasn't enabled (CHAP).  When I enabled it I the got an error about the password not being stored using reversable encryption.  Now it works.

Thanks for getting me looking in the correct direction
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Question about AD permissions 2 67
Server 2016 domain two way trust with 2003 domain function level 5 332
Screen Mirroring 7 66
2003 File Server upgrade 11 62
by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now