Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Radius always responds "Deny"

Posted on 2006-11-15
10
Medium Priority
?
724 Views
Last Modified: 2008-01-09
I'm getting ready to setup a vpn system.  I wanted to make sure that the Windows 2003 IAS service was correctly setup.  I've tried two different radius test software.  "Radius Test 2.4.3" and "NT RadPing 1.5".

I was able to get both to talk to the radius server, although both report Deny or Reject

The username I'm using has "Allow" checked on the dial-in tab.

Output from Radius Test 2.4.3

--------------------2006\11\15 5:50:07 PM Test started  [AuthTest(CHAP)]-------------------------

Info:Sending Access-Request of id 0 to 192.168.5.2:1812

      User-Name = "ray"

      CHAP-Password = 0x00c400755494e1a17dc61ec04adeb06c51

Info: Access-Reject packet from host 192.168.5.2:1812, id=0, length=20



         Total approved auths:  0

           Total denied auths:  1

             Total lost auths:  0

             Total time(secs):  0

--------------------2006\11\15 5:50:07 PM Test finished [AuthTest(CHAP)]-------------------------




0
Comment
Question by:semperfi89
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
10 Comments
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 17953645
I would suggest that you change Dial-in setting for user to Control Access through Remote Access Policy and define appropriate policy in IAS console.
0
 

Author Comment

by:semperfi89
ID: 17954963
Control Access through Remote Access Policy is greyed out and not available.

I do have a policy setup in IAS using group membership.  I've created a Group "VPN-Users" and I am a memeber of it.
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 17958000
You can use "Control Access through Remote Access Policy" only if you have native mode (or Domain Functional Level 2000) or DFL 2003. Ypu can raise domain functional level in Active directory users and computers (Active Directory Domain and Trusts). Right click domain and select Raise domain functional level...

Change is irreversible. You don't have any NT4 BDC in your environment? If you have you should not raise domain fuctional level!
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 

Author Comment

by:semperfi89
ID: 17958094
Ok, now that option is enable but still reports deny.
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 17961574
Did you create appropriate policy in your IAS server?  For testing purposes create policy which allows connection for specific group (for example "vpn users")
0
 

Author Comment

by:semperfi89
ID: 17961992
yes, and I'm a member of the group.
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 17963216
What is your error exacty, when you try to connect manually?
0
 

Author Comment

by:semperfi89
ID: 17964282
As listed in my first post...

Info: Access-Reject packet from host 192.168.5.2:1812, id=0, length=20
0
 
LVL 31

Accepted Solution

by:
Toni Uranjek earned 1500 total points
ID: 17964604
Is it possible that you set up Windows XP computer as VPN client, create VPN connection and than tell me what is exact error. Did you configure event logging for IAS (http://technet2.microsoft.com/WindowsServer/en/library/ff684a9f-6b2e-4d71-ab06-dd5e312008041033.mspx?mfr=true and http://technet2.microsoft.com/WindowsServer/en/library/66647e61-5d69-4f62-a95c-5a41a13064371033.mspx?mfr=true).
Are there any errors in Event Log?
0
 

Author Comment

by:semperfi89
ID: 17967826
Well it seems that the auth method that I was using wasn't enabled (CHAP).  When I enabled it I the got an error about the password not being stored using reversable encryption.  Now it works.

Thanks for getting me looking in the correct direction
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
Learn about cloud computing and its benefits for small business owners.
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question