Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 726
  • Last Modified:

Radius always responds "Deny"

I'm getting ready to setup a vpn system.  I wanted to make sure that the Windows 2003 IAS service was correctly setup.  I've tried two different radius test software.  "Radius Test 2.4.3" and "NT RadPing 1.5".

I was able to get both to talk to the radius server, although both report Deny or Reject

The username I'm using has "Allow" checked on the dial-in tab.

Output from Radius Test 2.4.3

--------------------2006\11\15 5:50:07 PM Test started  [AuthTest(CHAP)]-------------------------

Info:Sending Access-Request of id 0 to 192.168.5.2:1812

      User-Name = "ray"

      CHAP-Password = 0x00c400755494e1a17dc61ec04adeb06c51

Info: Access-Reject packet from host 192.168.5.2:1812, id=0, length=20



         Total approved auths:  0

           Total denied auths:  1

             Total lost auths:  0

             Total time(secs):  0

--------------------2006\11\15 5:50:07 PM Test finished [AuthTest(CHAP)]-------------------------




0
semperfi89
Asked:
semperfi89
  • 5
  • 5
1 Solution
 
Toni UranjekConsultant/TrainerCommented:
I would suggest that you change Dial-in setting for user to Control Access through Remote Access Policy and define appropriate policy in IAS console.
0
 
semperfi89Author Commented:
Control Access through Remote Access Policy is greyed out and not available.

I do have a policy setup in IAS using group membership.  I've created a Group "VPN-Users" and I am a memeber of it.
0
 
Toni UranjekConsultant/TrainerCommented:
You can use "Control Access through Remote Access Policy" only if you have native mode (or Domain Functional Level 2000) or DFL 2003. Ypu can raise domain functional level in Active directory users and computers (Active Directory Domain and Trusts). Right click domain and select Raise domain functional level...

Change is irreversible. You don't have any NT4 BDC in your environment? If you have you should not raise domain fuctional level!
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
semperfi89Author Commented:
Ok, now that option is enable but still reports deny.
0
 
Toni UranjekConsultant/TrainerCommented:
Did you create appropriate policy in your IAS server?  For testing purposes create policy which allows connection for specific group (for example "vpn users")
0
 
semperfi89Author Commented:
yes, and I'm a member of the group.
0
 
Toni UranjekConsultant/TrainerCommented:
What is your error exacty, when you try to connect manually?
0
 
semperfi89Author Commented:
As listed in my first post...

Info: Access-Reject packet from host 192.168.5.2:1812, id=0, length=20
0
 
Toni UranjekConsultant/TrainerCommented:
Is it possible that you set up Windows XP computer as VPN client, create VPN connection and than tell me what is exact error. Did you configure event logging for IAS (http://technet2.microsoft.com/WindowsServer/en/library/ff684a9f-6b2e-4d71-ab06-dd5e312008041033.mspx?mfr=true and http://technet2.microsoft.com/WindowsServer/en/library/66647e61-5d69-4f62-a95c-5a41a13064371033.mspx?mfr=true).
Are there any errors in Event Log?
0
 
semperfi89Author Commented:
Well it seems that the auth method that I was using wasn't enabled (CHAP).  When I enabled it I the got an error about the password not being stored using reversable encryption.  Now it works.

Thanks for getting me looking in the correct direction
0

Featured Post

Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now