Title: Windows Server 2003 R2 Remote Access Policy being Ignored by Routing and Remote Access Service when accepting VPN Connections

Posted on 2006-11-24
Last Modified: 2008-06-09
Hi all,

I'm setting up a new server.

I've got it to the point where it's accepting VPN connections.

Within RRAS I've tweaked the default remote access policy to make things a bit more secure (eg only accepting CHAP V2 for authentication & only allowing access after 6am but before midnight).

Problem is RRAS seems to be ignoring these. If I say "If authentication type = CHAP V2 then let me in" it does - if I say the same thing, but don't let me in, it still lets me in. If I say "only let me in between 2 and 5am and try to connect at lunchtime it lets me it.

What am I doing wrong?

Many thanks in advance.
Question by:The_Maverick
  • 4
  • 3
  • 2
LVL 77

Expert Comment

by:Rob Williams
ID: 18011224
One possibility is on the dial-in tab, of the users profile configuration, in Active Directory Users and Computers, there are 3 options; 1) "allow access", 2) "Denny Access", and 3) "Control access through Remote Access Policy".  If 1 is chosen instead of 3 the policies will be ignored and they will always be allowed access.
If you change this there may be a refresh/update period, I am afraid I am not sure.
LVL 10

Expert Comment

ID: 18012220
Another thing to check is on the Remote Access Policy after specifying the policy conditions ensure the right operation to perform is checked.  For example with the only allow access between 2am and 5am make sure your condition is:

Day and Time Restriction matches Sun 02:00 - 05:00 Mon 02:00 - 05:00, etc.

And that the if connection request matches the specified conditions is set to Grant remote access permission.  Also as RobWill was saying if the users account in AD is setup to allow or deny access that will override the settings in this policy.  You should make sure users are set to Control Access through Remote Access Policy.

On the authentication tab in the profile ensure that only CHAP V2 is selected and not any of the other protocols if you are wishing to make VPN only accessible for CHAP V2, make sure that the allow clients to connect without negotiating an authentication method is unchecked.



Author Comment

ID: 18017339
Thanks Rob and Matt. I think the issue is, as you alerted me to, the Users profile config in AD U&C. I see the 3rd option that you mention, but it's greyed out.

And on that note, is there something I need to set somewhere to enable the 3rd option? (I'm aware that it's not available on a mixed Win2K / Win2K3 domain, but this config is 100% Win2K3, so that's not the issue).

LVL 10

Expert Comment

ID: 18018729
Even though your DC's are 2003 can you check and verify that you are running native or win2003 mode.
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

LVL 77

Expert Comment

by:Rob Williams
ID: 18019198
To elaborate on Mathews comment:

"If your server is a domain controller, Control access through Remote Access Policy may be grayed out - unavailable -. If this is the case, your domain controller is in mixed mode. Mixed mode is the default mode when you promote a server to a domain controller. It means that the domain can have a mixture of NT4 and Windows 2000 servers. This is usually done when migrating an NT4 domain to Windows 2000.

If the remote access permission Control access through Remote Access Policy is unavailable, it doesn’t mean that you cannot secure remote access by using remote access policies, it simply means that you cannot allow or deny access via the policy. Selecting either Allow or Deny at the user level effectively overrides Allow or Deny at the policy level. You will still be able to set conditions in the policy such as time and day which will allow or deny a connection attempt at a certain time of day. If a user with the user level permission Allow will not be able to connect if the policy denies access at a particular time of the day. For example, if the user tries to connect on a Saturday and the policy denies access on Saturdays, the user will not be able to connect whether they have allow access or not."

Articles refers to 2000 servers but mixed mode exits with 2003 servers as well.
You can "Raise the Domain Functional Level", but you should read about the details first as you cannot go backward. To make the changes, open ADUC and right click on your server name, and choose "raise the domain functional level". In the box that opens make sure you click help and read about the effects. Once done you can only have servers in your domain that are of the same vintage, i.e if you have a 2003 server and raise it from mixed or native mode to Windows 2003 server, you can only have 2003 servers in your domain.

Author Comment

ID: 18031319
Thanks for that.

I raised the level to 2003 and can now use the extra option within ADUC/Dial In.

Still a bit confused about RRAS policy though - at present I only have 1 policy - accidentally it was set to say "If the user is using chap v2 then deny access" - and yet I could still get in (that's the ONLY condition in the policy by the way).

Should I interpret this policy to mean "if the user is using chap v2 then DON'T let them in, but if they're using any other form of authentication then let them through", or is it "if the user is using chap v2 then don't let them in, and if they're not using chap v2 then don't let them in anyway because there's no policy defined that caters for them.

I need to do more testing, but I'm puzzled as to why I was able to get in with the only policy set to deny me (although my account was set to "Grant Access" in ADUC).

LVL 77

Accepted Solution

Rob Williams earned 500 total points
ID: 18031428
>>"(although my account was set to "Grant Access" in ADUC)."
"Grant Access" over-rides any policy. You need to select "Control access through Remote Access Policy" to work with policies and have them applied.

With ms-chapv2 checked, it should mean only allow connections from clients using that authentication method. To test you could try changing the client under the virtual adapter go to Security | Advanced | Settings| change the protocol
However, I suspect it won't connect then anyway.
A better test might be to edit an existing policy, or add a new, and set a time restriction (right click on policy, choose properties and then add).

If interested in locking this down you might want to install IAS from add/remove programs Windows components. Then set RRAS to use RADIUS authentication. RADIUS allows for much more granular control.

Author Comment

ID: 18034584
Thanks Rob.

I think I understand it now. I really appreciate the effort you've put into this.

Many thanks again.

LVL 77

Expert Comment

by:Rob Williams
ID: 18036870
Very welcome. Thank you The_Maverick. Good luck with it.

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Article by: IanTh
Hi Guys After a whole weekend getting wake on lan over the internet working, I thought I would share the experience. Your firewall has to have a port forward for port 9 udp to your local broadcast x.x.x.255 but if that doesnt work, do it to a …
#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now