Radius always responds "Deny"

I'm getting ready to setup a vpn system.  I wanted to make sure that the Windows 2003 IAS service was correctly setup.  I've tried two different radius test software.  "Radius Test 2.4.3" and "NT RadPing 1.5".

I was able to get both to talk to the radius server, although both report Deny or Reject

The username I'm using has "Allow" checked on the dial-in tab.

Output from Radius Test 2.4.3

--------------------2006\11\15 5:50:07 PM Test started  [AuthTest(CHAP)]-------------------------

Info:Sending Access-Request of id 0 to 192.168.5.2:1812

      User-Name = "ray"

      CHAP-Password = 0x00c400755494e1a17dc61ec04adeb06c51

Info: Access-Reject packet from host 192.168.5.2:1812, id=0, length=20



         Total approved auths:  0

           Total denied auths:  1

             Total lost auths:  0

             Total time(secs):  0

--------------------2006\11\15 5:50:07 PM Test finished [AuthTest(CHAP)]-------------------------




semperfi89Asked:
Who is Participating?
 
Toni UranjekConnect With a Mentor Consultant/TrainerCommented:
Is it possible that you set up Windows XP computer as VPN client, create VPN connection and than tell me what is exact error. Did you configure event logging for IAS (http://technet2.microsoft.com/WindowsServer/en/library/ff684a9f-6b2e-4d71-ab06-dd5e312008041033.mspx?mfr=true and http://technet2.microsoft.com/WindowsServer/en/library/66647e61-5d69-4f62-a95c-5a41a13064371033.mspx?mfr=true).
Are there any errors in Event Log?
0
 
Toni UranjekConsultant/TrainerCommented:
I would suggest that you change Dial-in setting for user to Control Access through Remote Access Policy and define appropriate policy in IAS console.
0
 
semperfi89Author Commented:
Control Access through Remote Access Policy is greyed out and not available.

I do have a policy setup in IAS using group membership.  I've created a Group "VPN-Users" and I am a memeber of it.
0
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
Toni UranjekConsultant/TrainerCommented:
You can use "Control Access through Remote Access Policy" only if you have native mode (or Domain Functional Level 2000) or DFL 2003. Ypu can raise domain functional level in Active directory users and computers (Active Directory Domain and Trusts). Right click domain and select Raise domain functional level...

Change is irreversible. You don't have any NT4 BDC in your environment? If you have you should not raise domain fuctional level!
0
 
semperfi89Author Commented:
Ok, now that option is enable but still reports deny.
0
 
Toni UranjekConsultant/TrainerCommented:
Did you create appropriate policy in your IAS server?  For testing purposes create policy which allows connection for specific group (for example "vpn users")
0
 
semperfi89Author Commented:
yes, and I'm a member of the group.
0
 
Toni UranjekConsultant/TrainerCommented:
What is your error exacty, when you try to connect manually?
0
 
semperfi89Author Commented:
As listed in my first post...

Info: Access-Reject packet from host 192.168.5.2:1812, id=0, length=20
0
 
semperfi89Author Commented:
Well it seems that the auth method that I was using wasn't enabled (CHAP).  When I enabled it I the got an error about the password not being stored using reversable encryption.  Now it works.

Thanks for getting me looking in the correct direction
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.