Solved

Radius always responds "Deny"

Posted on 2006-11-15
10
720 Views
Last Modified: 2008-01-09
I'm getting ready to setup a vpn system.  I wanted to make sure that the Windows 2003 IAS service was correctly setup.  I've tried two different radius test software.  "Radius Test 2.4.3" and "NT RadPing 1.5".

I was able to get both to talk to the radius server, although both report Deny or Reject

The username I'm using has "Allow" checked on the dial-in tab.

Output from Radius Test 2.4.3

--------------------2006\11\15 5:50:07 PM Test started  [AuthTest(CHAP)]-------------------------

Info:Sending Access-Request of id 0 to 192.168.5.2:1812

      User-Name = "ray"

      CHAP-Password = 0x00c400755494e1a17dc61ec04adeb06c51

Info: Access-Reject packet from host 192.168.5.2:1812, id=0, length=20



         Total approved auths:  0

           Total denied auths:  1

             Total lost auths:  0

             Total time(secs):  0

--------------------2006\11\15 5:50:07 PM Test finished [AuthTest(CHAP)]-------------------------




0
Comment
Question by:semperfi89
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
10 Comments
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 17953645
I would suggest that you change Dial-in setting for user to Control Access through Remote Access Policy and define appropriate policy in IAS console.
0
 

Author Comment

by:semperfi89
ID: 17954963
Control Access through Remote Access Policy is greyed out and not available.

I do have a policy setup in IAS using group membership.  I've created a Group "VPN-Users" and I am a memeber of it.
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 17958000
You can use "Control Access through Remote Access Policy" only if you have native mode (or Domain Functional Level 2000) or DFL 2003. Ypu can raise domain functional level in Active directory users and computers (Active Directory Domain and Trusts). Right click domain and select Raise domain functional level...

Change is irreversible. You don't have any NT4 BDC in your environment? If you have you should not raise domain fuctional level!
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:semperfi89
ID: 17958094
Ok, now that option is enable but still reports deny.
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 17961574
Did you create appropriate policy in your IAS server?  For testing purposes create policy which allows connection for specific group (for example "vpn users")
0
 

Author Comment

by:semperfi89
ID: 17961992
yes, and I'm a member of the group.
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 17963216
What is your error exacty, when you try to connect manually?
0
 

Author Comment

by:semperfi89
ID: 17964282
As listed in my first post...

Info: Access-Reject packet from host 192.168.5.2:1812, id=0, length=20
0
 
LVL 31

Accepted Solution

by:
Toni Uranjek earned 500 total points
ID: 17964604
Is it possible that you set up Windows XP computer as VPN client, create VPN connection and than tell me what is exact error. Did you configure event logging for IAS (http://technet2.microsoft.com/WindowsServer/en/library/ff684a9f-6b2e-4d71-ab06-dd5e312008041033.mspx?mfr=true and http://technet2.microsoft.com/WindowsServer/en/library/66647e61-5d69-4f62-a95c-5a41a13064371033.mspx?mfr=true).
Are there any errors in Event Log?
0
 

Author Comment

by:semperfi89
ID: 17967826
Well it seems that the auth method that I was using wasn't enabled (CHAP).  When I enabled it I the got an error about the password not being stored using reversable encryption.  Now it works.

Thanks for getting me looking in the correct direction
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question