?
Solved

VPN Connection Problem - Authentication protocol is not permitted on the remote server

Posted on 2009-04-07
3
Medium Priority
?
7,969 Views
Last Modified: 2012-05-06
My VPN client access on an SBS 2008 server had been working fine.  Then it began connecting, but not giving me a network IP address&it would give me a 169 APIPA IP address.  Then in trying to fix it, I apparently made it worse.  Now when I try to connect, I get a 649 connection error on the client&The account does not have permission to connect for one of the following reasons&the reason that seems to apply is:
 An authentication protocol may be required that your computer cannot negotiate, or your computer may be attempting to use a protocol that is not authorized by the policy on the remote computer.

On the server I get this error:

The selected authentication protocol is not permitted on the remote server.

The connection could not be established because the authentication method used by your connection profile is not permitted for use by an access policy configured on the RAS/VPN server. Specifically, this could be due to configuration differences between the authentication method selected on the RAS/VPN server and the access policy configured for it.

CoId={NA}: The account for user \jim connected on port VPN2-4 does not have Remote Access privilege.  The line has been disconnected.

>>>

User:
      Security ID:                  S-1-5-21-366816775-4274262072-38412502-1142
      Account Name:            jim
      Account Domain:            DomainName
      Fully Qualified Account Name:      DomainName\jim

Client Machine:
      Security ID:                  S-1-0-0
      Account Name:                  -
      Fully Qualified Account Name:      -
      OS-Version:                  -
      Called Station Identifier:            -
      Calling Station Identifier:            205.172.99.12

NAS:
      NAS IPv4 Address:            192.168.73.1
      NAS IPv6 Address:            -
      NAS Identifier:            VS1
      NAS Port-Type:            Virtual
      NAS Port:                  0

RADIUS Client:
      Client Friendly Name:            VS1
      Client IP Address:            192.168.73.1

Authentication Details:
      Proxy Policy Name:            NAP VPN
      Network Policy Name:            NAP VPN Non NAP-Capable
      Authentication Provider:            Windows
      Authentication Server:            VS1.DomainNameg.local
      Authentication Type:            MS-CHAPv2
      EAP Type:                  -
      Account Session Identifier:      32
      Reason Code:            66
      Reason:                  The user attempted to use an authentication method that is not enabled on the matching network policy.
0
Comment
Question by:jlstdy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 19

Assisted Solution

by:lamaslany
lamaslany earned 1000 total points
ID: 24094689
Can you confirm that you have checked the network policy to ensure that it supports MS-CHAPv2 authentication?  (it should be under the Authentication Methods section of the Constrains tab)

0
 

Author Comment

by:jlstdy
ID: 24099776
Under NPS (Local)  8 Polices (below) are listed.
Three of them have a red x instead of a green check as indicated
The first two do not have MS-CHAPv2 checked, but do have checked "allow clients to connect without negotiating an authentication method"  All of the others have MS-CHAP2v2 checked.


General Connection Authorization Policy

-- TSG Marker Policy {985F7B54-FCE8-4f55-AEBF-DF8827A44068} --  (has red X)

NAP VPN Compliant

NAP VPN Noncompliant

NAP VPN Non NAP-Capable

Virtual Private Network (VPN) Access Policy

Connections to Microsoft Routing and Remote Access server  (has red X)

Connections to other access servers (has red X)
0
 

Accepted Solution

by:
jlstdy earned 0 total points
ID: 24163604
Since I did not get any replies in the past week, I just tried again to fix this VPN access problem and stumbled on a fix.  In NPS > Policies> Connection Request Policies > NAP VPN > Properties > Settings > I check the box for MS-Chap-v2 and I can now connect.  Thanks to lamaslany for giving me somewhat of a clue.
0

Featured Post

Need protection from advanced malware attacks?

Look no further than WatchGuard's Total Security Suite, providing defense in depth against today's most headlining attacks like Petya 2.0 and WannaCry. Keep your organization out of the news with protection from known and unknown threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question