Solved

RADIUS required for RAS?

Posted on 2010-09-05
12
371 Views
Last Modified: 2012-05-10
EE,

Just wondering if RADIUS is required to use RAS. If not, does it help simplify the authentication process if you are having authentication issues?

Please explain
0
Comment
Question by:snyderkv
  • 6
  • 6
12 Comments
 
LVL 39

Accepted Solution

by:
Krzysztof Pytko earned 500 total points
ID: 33609141
Nope, RADIUS is not required for RRAS. Could you tell me please what is your need for RRAS? I would consider the best option for you. Thank you in advance.
0
 

Author Comment

by:snyderkv
ID: 33609317
Cool thanks. Basically, we have a machine from another non trusted domain data dialing into our domain via a modem (terminal) so they can use a program on our side.

We get authentication errors 20073 and 20187. I found various articles on the fix like NTLMv2 settings exc. I added the NTLMv2 compatibility reg key for MSChapv2. I have yet to try them all but we are currently working on it. Don't know why it's not authenticating even though they are using the correct username and password.

Would RADIUS help if it meant authenticating not to a DC but to the RADIUS server instead?
0
 

Author Comment

by:snyderkv
ID: 33609334
http://arstechnica.com/civis/viewtopic.php?f=17&t=261473
http://technet.microsoft.com/en-us/library/cc733649(WS.10).aspx
http://www.chicagotech.net/casestudy/Evenid20049.htm
http://support.microsoft.com/kb/823659

These are some of the things I have checked out and tried. They are the google results from my authentication errors in event viewer. Hopefully, thats not too off subject however, it may be good for someone who has beene experiencing the same issue.
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33609372
Is it possible to show me, how did you configure RRAS policy for them?
Thank you in advance.
I don't think so if RADIUS would solve authentication problem in this case. But we will see :)
0
 

Author Comment

by:snyderkv
ID: 33609425
I wiill try and get a netsh config dump and post what I can

Thanks again
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33609442
Great, thanks :)
0
 

Author Comment

by:snyderkv
ID: 33609515
This is all done in a test environment BTW before being deployed for real. These settings do not reflect current setup once proof of concept is completed.

# -----------------------------------------
# Remote Access Configuration
# -----------------------------------------
pushd ras

set authmode mode = bypass
delete authtype type = PAP
delete authtype type = SPAP
delete authtype type = MD5CHAP
delete authtype type = MSCHAP
delete authtype type = MSCHAPv2
delete authtype type = EAP
add authtype type = MSCHAPv2
delete link type = SWC
delete link type = LCP
add link type = SWC
add link type = LCP
delete multilink type = MULTI
delete multilink type = BACP
add multilink type = MULTI
add multilink type = BACP

set user name = SUPPORT_ dialin = policy cbpolicy = none
set user name = USERTEST1 dialin = policy cbpolicy = none
set user name = USERTEST2 dialin = policy cbpolicy = none
set user name = USERTEST3 dialin = policy cbpolicy = none


popd

# End of Remote Access configuration.




# -----------------------------------------
# Remote Access AppleTalk Configuration
# -----------------------------------------
pushd ras appletalk

set negotiation mode = allow

popd

# End of Remote Access AppleTalk Configuration.



# -----------------------------------------
# Remote Access Diagnostics Configuration
# -----------------------------------------
pushd ras diagnostics

set rastracing component = * state = disabled
set rastracing component = "WZCTrace" state = enabled
set rastracing component = "WZCDLG" state = enabled
set rastracing component = "Wlpolicy" state = enabled
set rastracing component = "wavemsp" state = enabled
set rastracing component = "termmgr" state = enabled
set rastracing component = "tapisrv" state = enabled
set rastracing component = "tapi32" state = enabled
set rastracing component = "tapi3" state = enabled
set rastracing component = "SAINSTALL" state = enabled
set rastracing component = "RTM" state = enabled
set rastracing component = "Router" state = enabled
set rastracing component = "remrras" state = enabled
set rastracing component = "remotesp" state = enabled
set rastracing component = "RASUSER" state = enabled
set rastracing component = "RASTLSUI" state = enabled
set rastracing component = "RASTLS" state = enabled
set rastracing component = "RASTAPI" state = enabled
set rastracing component = "RASSPAP" state = enabled
set rastracing component = "RASPAP" state = enabled
set rastracing component = "RASMAN" state = enabled
set rastracing component = "RASIPHLP" state = enabled
set rastracing component = "RASIPCP" state = enabled
set rastracing component = "RASEAP" state = enabled
set rastracing component = "RASDLG" state = enabled
set rastracing component = "RASCHAP" state = enabled
set rastracing component = "RASCCP" state = enabled
set rastracing component = "RASBACP" state = enabled
set rastracing component = "RASAUTO" state = enabled
set rastracing component = "RASAUTH" state = enabled
set rastracing component = "RASAPI32" state = enabled
set rastracing component = "RADIUS" state = enabled
set rastracing component = "PPP" state = enabled
set rastracing component = "OneExSup" state = enabled
set rastracing component = "NETSHELL" state = enabled
set rastracing component = "NETMAN" state = enabled
set rastracing component = "NDPTSP" state = enabled
set rastracing component = "NAPMMC" state = enabled
set rastracing component = "MprDomain" state = enabled
set rastracing component = "KMDDSP" state = enabled
set rastracing component = "IPRouterManager" state = enabled
set rastracing component = "IPMGM" state = enabled
set rastracing component = "IPBOOTP" state = enabled
set rastracing component = "IGMPv2" state = enabled
set rastracing component = "IASSVCS" state = enabled
set rastracing component = "IASSDO" state = enabled
set rastracing component = "IASSAM" state = enabled
set rastracing component = "IASRECST" state = enabled
set rastracing component = "IASRAD" state = enabled
set rastracing component = "IASNAP" state = enabled
set rastracing component = "IASHLPR" state = enabled
set rastracing component = "IASACCT" state = enabled
set rastracing component = "h323msp" state = enabled
set rastracing component = "FWCFG" state = enabled
set rastracing component = "EAPOL" state = enabled
set rastracing component = "conftsp" state = enabled
set rastracing component = "confmsp" state = enabled
set rastracing component = "BAP" state = enabled

set modemtracing state = enabled

set cmtracing state = disabled

set securityeventlogs state = enabled


popd

# End of Remote Access Diagnostics Configuration.




# -----------------------------------------
# Remote Access IP Configuration
# -----------------------------------------
pushd ras ip

delete pool

set negotiation mode = allow
set access mode = all
set addrreq mode = allow
set broadcastnameresolution mode = enabled
set addrassign method = auto

popd

# End of Remote Access IP configuration.



# -----------------------------------------
# Remote Access IPX Configuration
# -----------------------------------------
pushd ras ipx

set negotiation mode = deny
set access mode = all
set nodereq mode = allow
set netassign method = autosame

popd

# End of Remote Access IPX configuration.




# -----------------------------------------
# Remote Access NBF Configuration
# -----------------------------------------
pushd ras netbeui

set negotiation mode = allow
set access mode = all

popd

# End of Remote Access NBF configuration.




# -----------------------------------------
# Remote Access AAAA Configuration
# -----------------------------------------
pushd ras aaaa

set authentication provider = windows
set accounting provider = windows

delete authserver name = *
delete acctserver name = *



popd

# End of Remote Access AAAA configuration.



netsh ras>
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33609624
OK, I will analyze it and let you know. Give me some time :) Thanks
0
 

Author Comment

by:snyderkv
ID: 33609996
Holly snyckies it worked with those configuration settings above. I think it was the NTLMv2 reg key I added? That and I checked Bypass as you can see in the config (bypass allows users not to authenticate) I'm unchecking it (setting it to standard in netsh) to test it with authentication.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33610015
that's great. So, you solved it yourself :)
0
 

Author Comment

by:snyderkv
ID: 33610320
Yup the logs show MSCHAPv2 authenticated and logon succeeded :)

Thanks for lettting me know we didn't need RADIUS. Saved us a bunch of time.

0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33610439
Thank you also :)
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
Learn about cloud computing and its benefits for small business owners.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question