Title: Windows Server 2003 R2 Remote Access Policy being Ignored by Routing and Remote Access Service when accepting VPN Connections

Posted on 2006-11-24
Medium Priority
Last Modified: 2008-06-09
Hi all,

I'm setting up a new server.

I've got it to the point where it's accepting VPN connections.

Within RRAS I've tweaked the default remote access policy to make things a bit more secure (eg only accepting CHAP V2 for authentication & only allowing access after 6am but before midnight).

Problem is RRAS seems to be ignoring these. If I say "If authentication type = CHAP V2 then let me in" it does - if I say the same thing, but don't let me in, it still lets me in. If I say "only let me in between 2 and 5am and try to connect at lunchtime it lets me it.

What am I doing wrong?

Many thanks in advance.
Question by:The_Maverick
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
LVL 77

Expert Comment

by:Rob Williams
ID: 18011224
One possibility is on the dial-in tab, of the users profile configuration, in Active Directory Users and Computers, there are 3 options; 1) "allow access", 2) "Denny Access", and 3) "Control access through Remote Access Policy".  If 1 is chosen instead of 3 the policies will be ignored and they will always be allowed access.
If you change this there may be a refresh/update period, I am afraid I am not sure.
LVL 10

Expert Comment

ID: 18012220
Another thing to check is on the Remote Access Policy after specifying the policy conditions ensure the right operation to perform is checked.  For example with the only allow access between 2am and 5am make sure your condition is:

Day and Time Restriction matches Sun 02:00 - 05:00 Mon 02:00 - 05:00, etc.

And that the if connection request matches the specified conditions is set to Grant remote access permission.  Also as RobWill was saying if the users account in AD is setup to allow or deny access that will override the settings in this policy.  You should make sure users are set to Control Access through Remote Access Policy.

On the authentication tab in the profile ensure that only CHAP V2 is selected and not any of the other protocols if you are wishing to make VPN only accessible for CHAP V2, make sure that the allow clients to connect without negotiating an authentication method is unchecked.



Author Comment

ID: 18017339
Thanks Rob and Matt. I think the issue is, as you alerted me to, the Users profile config in AD U&C. I see the 3rd option that you mention, but it's greyed out.

And on that note, is there something I need to set somewhere to enable the 3rd option? (I'm aware that it's not available on a mixed Win2K / Win2K3 domain, but this config is 100% Win2K3, so that's not the issue).

Video: Liquid Web Managed WordPress Comparisons

If you run run a WordPress, you understand the potential headaches you may face when updating your plugins and themes. Do you choose to update on the fly and risk taking down your site; or do you set up a staging, keep it in sync with your live site and use that to test updates?

LVL 10

Expert Comment

ID: 18018729
Even though your DC's are 2003 can you check and verify that you are running native or win2003 mode.
LVL 77

Expert Comment

by:Rob Williams
ID: 18019198
To elaborate on Mathews comment:

"If your server is a domain controller, Control access through Remote Access Policy may be grayed out - unavailable -. If this is the case, your domain controller is in mixed mode. Mixed mode is the default mode when you promote a server to a domain controller. It means that the domain can have a mixture of NT4 and Windows 2000 servers. This is usually done when migrating an NT4 domain to Windows 2000.

If the remote access permission Control access through Remote Access Policy is unavailable, it doesn’t mean that you cannot secure remote access by using remote access policies, it simply means that you cannot allow or deny access via the policy. Selecting either Allow or Deny at the user level effectively overrides Allow or Deny at the policy level. You will still be able to set conditions in the policy such as time and day which will allow or deny a connection attempt at a certain time of day. If a user with the user level permission Allow will not be able to connect if the policy denies access at a particular time of the day. For example, if the user tries to connect on a Saturday and the policy denies access on Saturdays, the user will not be able to connect whether they have allow access or not."

Articles refers to 2000 servers but mixed mode exits with 2003 servers as well.
You can "Raise the Domain Functional Level", but you should read about the details first as you cannot go backward. To make the changes, open ADUC and right click on your server name, and choose "raise the domain functional level". In the box that opens make sure you click help and read about the effects. Once done you can only have servers in your domain that are of the same vintage, i.e if you have a 2003 server and raise it from mixed or native mode to Windows 2003 server, you can only have 2003 servers in your domain.

Author Comment

ID: 18031319
Thanks for that.

I raised the level to 2003 and can now use the extra option within ADUC/Dial In.

Still a bit confused about RRAS policy though - at present I only have 1 policy - accidentally it was set to say "If the user is using chap v2 then deny access" - and yet I could still get in (that's the ONLY condition in the policy by the way).

Should I interpret this policy to mean "if the user is using chap v2 then DON'T let them in, but if they're using any other form of authentication then let them through", or is it "if the user is using chap v2 then don't let them in, and if they're not using chap v2 then don't let them in anyway because there's no policy defined that caters for them.

I need to do more testing, but I'm puzzled as to why I was able to get in with the only policy set to deny me (although my account was set to "Grant Access" in ADUC).

LVL 77

Accepted Solution

Rob Williams earned 2000 total points
ID: 18031428
>>"(although my account was set to "Grant Access" in ADUC)."
"Grant Access" over-rides any policy. You need to select "Control access through Remote Access Policy" to work with policies and have them applied.

With ms-chapv2 checked, it should mean only allow connections from clients using that authentication method. To test you could try changing the client under the virtual adapter go to Security | Advanced | Settings| change the protocol
However, I suspect it won't connect then anyway.
A better test might be to edit an existing policy, or add a new, and set a time restriction (right click on policy, choose properties and then add).

If interested in locking this down you might want to install IAS from add/remove programs Windows components. Then set RRAS to use RADIUS authentication. RADIUS allows for much more granular control.

Author Comment

ID: 18034584
Thanks Rob.

I think I understand it now. I really appreciate the effort you've put into this.

Many thanks again.

LVL 77

Expert Comment

by:Rob Williams
ID: 18036870
Very welcome. Thank you The_Maverick. Good luck with it.

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question