?
Solved

VPN - Allow/Deny or Control access Policy issue

Posted on 2011-03-04
5
Medium Priority
?
508 Views
Last Modified: 2013-12-05
Ive installed and configured a master win 2003, sp2, dns, dhcp & connected via a switch 'LOCALLY' for the time being and no VLANS are being used so it is acting as a HUB.

when i configured IAS & Radius I selected the tick box option on a 'USER' account for 'control policy'.

What is the difference between:

- Allow
- Deny
- Control policy option

??
0
Comment
Question by:mikey250
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 7

Accepted Solution

by:
jesaja earned 2000 total points
ID: 35047164
In the Dial-in settings of the as users properties

Allow will enable the the user to dial-in for remote access, if a RAS VPN Server is setup

Deny will disable dial-in ability for that user

If option is set to Control access through NPS. Dial-in permission will be controlled by RAS Policy
0
 
LVL 7

Assisted Solution

by:jesaja
jesaja earned 2000 total points
ID: 35047245
just get more specific
ras policies will get processed in either
if the option is set to disable connection will be interrupted immediately
if the option is set to enable the RAS Policy option for access will be ignored but if the polices conditions meet the conditions value policy will be applied and no other policy will processed further.

 
0
 

Author Comment

by:mikey250
ID: 35047287
so if i selected 'Allow' and NOT 'Control access policy', does it mean less security - Yes or No?

Does selecting 'Control access policy' - mean more secure?

Or are you saying the 'Disable & Allow' - are only for Dial-up?

what does RAS stand for?

Just trying to understand your explanation
0
 
LVL 7

Expert Comment

by:jesaja
ID: 35349553
The Dial In settings will control the remote Access Permissions for the user. The same option can be set in the Remote Access Policies of the Internet Authentication (IAS) Service (as depicted)



If the users Dial in Remote Access Permission is set to Allow or Deny access the user remote access permission overrides the policy remote access permission (as depicted) and only if the Remote Access Policy is applied to the user. There can only be one Remote Access Policy applied to a user that is controlled through the Conditions in the Policy. That means no further policy will be processed.

When remote access permission on a user account is set to the Control access through Remote Access Policy option, the policy remote access permission determines whether the user is granted access.


So the best approach is to create a Dial-In Security Group and add the user accounts to this group and set those users to Control access through Remote access Policy and set all other users to deny.
Create a Remote Access Policy and add a condition to this Policy that checks if the user is in this group (Windows Groups)
and set the Option
 - If a connection request matches the specified conditions to Grand remote access permissions

That will gives grater control and transparency to determine  user dial in access thus only members of the security group will have access


what does RAS stand for?
- Routing and Remote Access Server



 Settings

 Settings
0
 

Author Comment

by:mikey250
ID: 35350005
Thanks for the clarity.
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip Migration Tip #1 – Source Server Health can be found listed in my profile here: http:…
Issue: One Windows 2008 R2 64bit server on the network unable to connect to a buffalo Device (Linkstation) with firmware version 1.56. There are a total of four servers on the network this being one of them. Troubleshooting Steps: Connect via h…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
Suggested Courses
Course of the Month11 days, 13 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question