Title: Windows Server 2003 R2 Remote Access Policy being Ignored by Routing and Remote Access Service when accepting VPN Connections

Hi all,

I'm setting up a new server.

I've got it to the point where it's accepting VPN connections.

Within RRAS I've tweaked the default remote access policy to make things a bit more secure (eg only accepting CHAP V2 for authentication & only allowing access after 6am but before midnight).

Problem is RRAS seems to be ignoring these. If I say "If authentication type = CHAP V2 then let me in" it does - if I say the same thing, but don't let me in, it still lets me in. If I say "only let me in between 2 and 5am and try to connect at lunchtime it lets me it.

What am I doing wrong?

Many thanks in advance.
Who is Participating?
Rob WilliamsConnect With a Mentor Commented:
>>"(although my account was set to "Grant Access" in ADUC)."
"Grant Access" over-rides any policy. You need to select "Control access through Remote Access Policy" to work with policies and have them applied.

With ms-chapv2 checked, it should mean only allow connections from clients using that authentication method. To test you could try changing the client under the virtual adapter go to Security | Advanced | Settings| change the protocol
However, I suspect it won't connect then anyway.
A better test might be to edit an existing policy, or add a new, and set a time restriction (right click on policy, choose properties and then add).

If interested in locking this down you might want to install IAS from add/remove programs Windows components. Then set RRAS to use RADIUS authentication. RADIUS allows for much more granular control.
Rob WilliamsCommented:
One possibility is on the dial-in tab, of the users profile configuration, in Active Directory Users and Computers, there are 3 options; 1) "allow access", 2) "Denny Access", and 3) "Control access through Remote Access Policy".  If 1 is chosen instead of 3 the policies will be ignored and they will always be allowed access.
If you change this there may be a refresh/update period, I am afraid I am not sure.
Another thing to check is on the Remote Access Policy after specifying the policy conditions ensure the right operation to perform is checked.  For example with the only allow access between 2am and 5am make sure your condition is:

Day and Time Restriction matches Sun 02:00 - 05:00 Mon 02:00 - 05:00, etc.

And that the if connection request matches the specified conditions is set to Grant remote access permission.  Also as RobWill was saying if the users account in AD is setup to allow or deny access that will override the settings in this policy.  You should make sure users are set to Control Access through Remote Access Policy.

On the authentication tab in the profile ensure that only CHAP V2 is selected and not any of the other protocols if you are wishing to make VPN only accessible for CHAP V2, make sure that the allow clients to connect without negotiating an authentication method is unchecked.


Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

The_MaverickAuthor Commented:
Thanks Rob and Matt. I think the issue is, as you alerted me to, the Users profile config in AD U&C. I see the 3rd option that you mention, but it's greyed out.

And on that note, is there something I need to set somewhere to enable the 3rd option? (I'm aware that it's not available on a mixed Win2K / Win2K3 domain, but this config is 100% Win2K3, so that's not the issue).

Even though your DC's are 2003 can you check and verify that you are running native or win2003 mode.
Rob WilliamsCommented:
To elaborate on Mathews comment:

"If your server is a domain controller, Control access through Remote Access Policy may be grayed out - unavailable -. If this is the case, your domain controller is in mixed mode. Mixed mode is the default mode when you promote a server to a domain controller. It means that the domain can have a mixture of NT4 and Windows 2000 servers. This is usually done when migrating an NT4 domain to Windows 2000.

If the remote access permission Control access through Remote Access Policy is unavailable, it doesn’t mean that you cannot secure remote access by using remote access policies, it simply means that you cannot allow or deny access via the policy. Selecting either Allow or Deny at the user level effectively overrides Allow or Deny at the policy level. You will still be able to set conditions in the policy such as time and day which will allow or deny a connection attempt at a certain time of day. If a user with the user level permission Allow will not be able to connect if the policy denies access at a particular time of the day. For example, if the user tries to connect on a Saturday and the policy denies access on Saturdays, the user will not be able to connect whether they have allow access or not."

Articles refers to 2000 servers but mixed mode exits with 2003 servers as well.
You can "Raise the Domain Functional Level", but you should read about the details first as you cannot go backward. To make the changes, open ADUC and right click on your server name, and choose "raise the domain functional level". In the box that opens make sure you click help and read about the effects. Once done you can only have servers in your domain that are of the same vintage, i.e if you have a 2003 server and raise it from mixed or native mode to Windows 2003 server, you can only have 2003 servers in your domain.
The_MaverickAuthor Commented:
Thanks for that.

I raised the level to 2003 and can now use the extra option within ADUC/Dial In.

Still a bit confused about RRAS policy though - at present I only have 1 policy - accidentally it was set to say "If the user is using chap v2 then deny access" - and yet I could still get in (that's the ONLY condition in the policy by the way).

Should I interpret this policy to mean "if the user is using chap v2 then DON'T let them in, but if they're using any other form of authentication then let them through", or is it "if the user is using chap v2 then don't let them in, and if they're not using chap v2 then don't let them in anyway because there's no policy defined that caters for them.

I need to do more testing, but I'm puzzled as to why I was able to get in with the only policy set to deny me (although my account was set to "Grant Access" in ADUC).

The_MaverickAuthor Commented:
Thanks Rob.

I think I understand it now. I really appreciate the effort you've put into this.

Many thanks again.

Rob WilliamsCommented:
Very welcome. Thank you The_Maverick. Good luck with it.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.