mikey250
asked on
VPN - Allow/Deny or Control access Policy issue
Ive installed and configured a master win 2003, sp2, dns, dhcp & connected via a switch 'LOCALLY' for the time being and no VLANS are being used so it is acting as a HUB.
when i configured IAS & Radius I selected the tick box option on a 'USER' account for 'control policy'.
What is the difference between:
- Allow
- Deny
- Control policy option
??
when i configured IAS & Radius I selected the tick box option on a 'USER' account for 'control policy'.
What is the difference between:
- Allow
- Deny
- Control policy option
??
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The Dial In settings will control the remote Access Permissions for the user. The same option can be set in the Remote Access Policies of the Internet Authentication (IAS) Service (as depicted)
If the users Dial in Remote Access Permission is set to Allow or Deny access the user remote access permission overrides the policy remote access permission (as depicted) and only if the Remote Access Policy is applied to the user. There can only be one Remote Access Policy applied to a user that is controlled through the Conditions in the Policy. That means no further policy will be processed.
When remote access permission on a user account is set to the Control access through Remote Access Policy option, the policy remote access permission determines whether the user is granted access.
So the best approach is to create a Dial-In Security Group and add the user accounts to this group and set those users to Control access through Remote access Policy and set all other users to deny.
Create a Remote Access Policy and add a condition to this Policy that checks if the user is in this group (Windows Groups)
and set the Option
- If a connection request matches the specified conditions to Grand remote access permissions
That will gives grater control and transparency to determine user dial in access thus only members of the security group will have access
what does RAS stand for?
- Routing and Remote Access Server
If the users Dial in Remote Access Permission is set to Allow or Deny access the user remote access permission overrides the policy remote access permission (as depicted) and only if the Remote Access Policy is applied to the user. There can only be one Remote Access Policy applied to a user that is controlled through the Conditions in the Policy. That means no further policy will be processed.
When remote access permission on a user account is set to the Control access through Remote Access Policy option, the policy remote access permission determines whether the user is granted access.
So the best approach is to create a Dial-In Security Group and add the user accounts to this group and set those users to Control access through Remote access Policy and set all other users to deny.
Create a Remote Access Policy and add a condition to this Policy that checks if the user is in this group (Windows Groups)
and set the Option
- If a connection request matches the specified conditions to Grand remote access permissions
That will gives grater control and transparency to determine user dial in access thus only members of the security group will have access
what does RAS stand for?
- Routing and Remote Access Server
ASKER
Thanks for the clarity.
ASKER
Does selecting 'Control access policy' - mean more secure?
Or are you saying the 'Disable & Allow' - are only for Dial-up?
what does RAS stand for?
Just trying to understand your explanation