Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Title: Windows Server 2003 R2 Remote Access Policy being Ignored by Routing and Remote Access Service when accepting VPN Connections

Posted on 2006-11-24
Medium Priority
Last Modified: 2008-06-09
Hi all,

I'm setting up a new server.

I've got it to the point where it's accepting VPN connections.

Within RRAS I've tweaked the default remote access policy to make things a bit more secure (eg only accepting CHAP V2 for authentication & only allowing access after 6am but before midnight).

Problem is RRAS seems to be ignoring these. If I say "If authentication type = CHAP V2 then let me in" it does - if I say the same thing, but don't let me in, it still lets me in. If I say "only let me in between 2 and 5am and try to connect at lunchtime it lets me it.

What am I doing wrong?

Many thanks in advance.
Question by:The_Maverick
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
LVL 77

Expert Comment

by:Rob Williams
ID: 18011224
One possibility is on the dial-in tab, of the users profile configuration, in Active Directory Users and Computers, there are 3 options; 1) "allow access", 2) "Denny Access", and 3) "Control access through Remote Access Policy".  If 1 is chosen instead of 3 the policies will be ignored and they will always be allowed access.
If you change this there may be a refresh/update period, I am afraid I am not sure.
LVL 10

Expert Comment

ID: 18012220
Another thing to check is on the Remote Access Policy after specifying the policy conditions ensure the right operation to perform is checked.  For example with the only allow access between 2am and 5am make sure your condition is:

Day and Time Restriction matches Sun 02:00 - 05:00 Mon 02:00 - 05:00, etc.

And that the if connection request matches the specified conditions is set to Grant remote access permission.  Also as RobWill was saying if the users account in AD is setup to allow or deny access that will override the settings in this policy.  You should make sure users are set to Control Access through Remote Access Policy.

On the authentication tab in the profile ensure that only CHAP V2 is selected and not any of the other protocols if you are wishing to make VPN only accessible for CHAP V2, make sure that the allow clients to connect without negotiating an authentication method is unchecked.



Author Comment

ID: 18017339
Thanks Rob and Matt. I think the issue is, as you alerted me to, the Users profile config in AD U&C. I see the 3rd option that you mention, but it's greyed out.

And on that note, is there something I need to set somewhere to enable the 3rd option? (I'm aware that it's not available on a mixed Win2K / Win2K3 domain, but this config is 100% Win2K3, so that's not the issue).

Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

LVL 10

Expert Comment

ID: 18018729
Even though your DC's are 2003 can you check and verify that you are running native or win2003 mode.
LVL 77

Expert Comment

by:Rob Williams
ID: 18019198
To elaborate on Mathews comment:

"If your server is a domain controller, Control access through Remote Access Policy may be grayed out - unavailable -. If this is the case, your domain controller is in mixed mode. Mixed mode is the default mode when you promote a server to a domain controller. It means that the domain can have a mixture of NT4 and Windows 2000 servers. This is usually done when migrating an NT4 domain to Windows 2000.

If the remote access permission Control access through Remote Access Policy is unavailable, it doesn’t mean that you cannot secure remote access by using remote access policies, it simply means that you cannot allow or deny access via the policy. Selecting either Allow or Deny at the user level effectively overrides Allow or Deny at the policy level. You will still be able to set conditions in the policy such as time and day which will allow or deny a connection attempt at a certain time of day. If a user with the user level permission Allow will not be able to connect if the policy denies access at a particular time of the day. For example, if the user tries to connect on a Saturday and the policy denies access on Saturdays, the user will not be able to connect whether they have allow access or not."

Articles refers to 2000 servers but mixed mode exits with 2003 servers as well.
You can "Raise the Domain Functional Level", but you should read about the details first as you cannot go backward. To make the changes, open ADUC and right click on your server name, and choose "raise the domain functional level". In the box that opens make sure you click help and read about the effects. Once done you can only have servers in your domain that are of the same vintage, i.e if you have a 2003 server and raise it from mixed or native mode to Windows 2003 server, you can only have 2003 servers in your domain.

Author Comment

ID: 18031319
Thanks for that.

I raised the level to 2003 and can now use the extra option within ADUC/Dial In.

Still a bit confused about RRAS policy though - at present I only have 1 policy - accidentally it was set to say "If the user is using chap v2 then deny access" - and yet I could still get in (that's the ONLY condition in the policy by the way).

Should I interpret this policy to mean "if the user is using chap v2 then DON'T let them in, but if they're using any other form of authentication then let them through", or is it "if the user is using chap v2 then don't let them in, and if they're not using chap v2 then don't let them in anyway because there's no policy defined that caters for them.

I need to do more testing, but I'm puzzled as to why I was able to get in with the only policy set to deny me (although my account was set to "Grant Access" in ADUC).

LVL 77

Accepted Solution

Rob Williams earned 2000 total points
ID: 18031428
>>"(although my account was set to "Grant Access" in ADUC)."
"Grant Access" over-rides any policy. You need to select "Control access through Remote Access Policy" to work with policies and have them applied.

With ms-chapv2 checked, it should mean only allow connections from clients using that authentication method. To test you could try changing the client under the virtual adapter go to Security | Advanced | Settings| change the protocol
However, I suspect it won't connect then anyway.
A better test might be to edit an existing policy, or add a new, and set a time restriction (right click on policy, choose properties and then add).

If interested in locking this down you might want to install IAS from add/remove programs Windows components. Then set RRAS to use RADIUS authentication. RADIUS allows for much more granular control.

Author Comment

ID: 18034584
Thanks Rob.

I think I understand it now. I really appreciate the effort you've put into this.

Many thanks again.

LVL 77

Expert Comment

by:Rob Williams
ID: 18036870
Very welcome. Thank you The_Maverick. Good luck with it.

Featured Post

Simplify Your Workload with One Tool

How do you combat today’s intelligent hacker while managing multiple domains and platforms? By simplifying your workload with one tool. With Lunarpages hosting through Plesk Onyx, you can:

Automate SSL generation and installation with two clicks
Experience total server control

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question